A few weeks ago, Swedish security aficionado Dan Egerstad published a list that sent out some big shockwaves. Egerstad set up five The Onion Router (Tor) exit nodes around the world, put them online for the public to use, and then sniffed traffic as it left those exit nodes to look for credentials used for POP3 and IMAP traffic. When his adventure was over, Egerstad wound up with a lengthy list of logon names and passwords for high-profile mailboxes, including credentials that belong to workers at various embassies, consulates, large American companies, and even the offices of the Dalai Lama.

In case you aren't familiar with Tor, it's basically a network of independently operated servers that work together to provide an encrypted VPN. Traffic sent through Tor is moved through at least three Tor servers in an ever-changing pattern. The premise is to provide some level of anonymity for Tor users so that they can disguise the origin of their traffic. Anyone can run a Tor server, and anyone can use the Tor network as a client.

As Egerstad's adventure reveals, many high-profile people use Tor without adequate knowledge of how it works, and thus they remain unaware of the overall risks. The Tor network does encrypt traffic, and it does make an attempt to randomize the route that the traffic takes along its way to its destination. Because traffic is encrypted as it moves through the Tor network, Tor server operators can't easily sniff traffic as it passes through their Tor server. However, the traffic must be decrypted before it's sent to its final destination; therefore Tor exit server operators can sniff traffic if it wasn't encrypted prior to being sent into the Tor network. Egerstad's adventure was designed to discover how many people don't encrypt traffic before sending it to the Tor network.

A similar experiment is conducted each year at the DEFCON security conference: Sniffers are used to capture the credentials of people who use the conference wireless network without adequate encryption. The results are then posted on the Wall of Sheep (sometimes also referred to as the Wall of Shame). One might think that administrators for embassies and consulates would be aware of the potential for people to sniff network traffic, but apparently they aren't as aware as they ought to be. Some are more aware now after being embarrassed by Egerstad's findings.

After Egerstad published his list of results on August 30 (at the URL below), his site was quickly shut down, apparently at the request of unnamed law enforcement agencies in the United States. Sometime during the following week, Egerstad's Web site went back online, and he then posted more details of his adventure. Included in the mix of information is the fact that there are plenty of suspicious Tor servers taking part in the overall Tor network, and that fact ought to give anyone using Tor some amount of pause.


The lesson to be learned from Egerstad's adventure is that all administrators should seriously consider implementing POP3 and IMAP over Secure Sockets Layer (SSL). Most email clients and servers support SSL connectivity, and there's little if any reason not to use it these days. Even if your users don't use Tor or other anonymizing tools (such as public proxy servers), it's still a good idea to use SSL--even on in-house networks, because the threat from company insiders is equal to the threat from those outside your company. And, with the increasing trend toward telecommuting, SSL is becoming even more important as a standard tool that can help guard your private communications.