Slashdot Mirror
Scientists Detect Two Dozen Computers Trying To Sabotage Tor Privacy Network
New submitter fynbar writes "Computer scientists have identified almost two dozen computers that were actively working to sabotage the Tor privacy network by carrying out attacks that can degrade encrypted connections between end users and the websites or servers they visit (PDF). 'Two of the 25 servers appeared to redirect traffic when end users attempted to visit pornography sites, leading the researchers to suspect they were carrying out censorship regimes required by the countries in which they operated. A third server suffered from what researchers said was a configuration error in the OpenDNS server. The remainder carried out so-called man-in-the-middle (MitM) attacks designed to degrade encrypted Web or SSH traffic to plaintext traffic. The servers did this by using the well-known sslstrip attack designed by researcher Moxie Marlinspike or another common MitM technique that converts unreadable HTTPS traffic into plaintext HTTP.'"
If only 24 "bad" computers can cause that big of an issue then the TOR network clearly has bigger problems.
I'm surprised that there was so few detected doing it.
"... almost two dozen computers that were actively...", "Two of the 25 servers... ".
Oh, they clear that up nicely - "Almost two dozen" is actually 25. Perhaps dozen is like gallon: different sizes in different countries.
yes, EFF's HTTPS Everywhere
Not sure if joking...
http://noscript.net/features#o...
https://www.eff.org/https-ever...
A lot of the sslstrip stuff is based off of people not noticing the page has changed to insecure, modern browsers try to address that by making it more visible than it was in the pre-FF3 era, e.g.:
https://support.mozilla.org/en...
Climate Progress - Hell and High Water
HTTPS Everywhere doesn't stop you browsing HTTP sites it just tries to redirect you to the HTTPS version of a HTTP site if it's available. Not saying it's not useful (just not quite what the OP was suggesting). There is a spin off of HTTPS Everywhere - HTTP Nowhere that might get the job done for Firefox. Not sure what happens with embedded crap like flash etc. though and AFAIK it's a global thing - there is no 'secure only' browsing window or anything like that.
https://addons.mozilla.org/En-us/firefox/addon/http-nowhere/
Another option might be squid (or another transparent proxy) which is configured to only allow HTTPS?
Every time you see a headline in the form of "Scientists discover new foo" you can pretty much stop reading right there. The author is most likely the sort of person that confuses science with wizardry and isn't very likely to produce an article of any real substance. You could actually just replace every instance of scientist with wizard and impart the same level of information.
Any sufficiently analysed magic is indistinguishable from technology.
Repeated attempts to destroy Tor's image to deter troublesome future widepread-adoption of this privacy tool?
The mention in the article that there are only 1000 exit nodes generally available on TOR is kinda stunning.
That's 20 nodes per US state.
If that is it.... Then what is left of Freedom is in deep trouble.
Neither of these options will stop your browser from making a http connection!
HTTPS Everywhere does not force HTTPS, it tries to use it where it's available through URL rewriting rules.
The NoScript option prevents scripts from running on insecured sites, it does not stop your browser from loading the page in the first place.
Consider using a proxy that specifically blocks HTTP traffic or maybe a plugin like HTTP Nowhere mentioned in the post above.
Just set non-existant proxies, e.g 127.0.0.1:12345, for all non-HTTPS protocols.
Sorry, but modern browsers don't really address that. The problem with the browser warnings is their definition of insecure. You only get warnings if there is something wrong with an encrypted https site like an invalid certificate. Using an unencrypted site is NOT seen as insecure as it would annoy users during most of their normal browsing sessions. The Blackhat presentation about sslstrip from Moxie explains very clearly what the problems are. You can view it at http://www.thoughtcrime.org/so...
I guess another option would be to use FoxyProxy and configure a nonexistent proxy "running" on 127.0.0.1 for all http traffic. If you already use FoxyProxy for other purposes, it means you don't even need to install additional software/extensions.
Sorry, but modern browsers don't really address that. The problem with the browser warnings is their definition of insecure. You only get warnings if there is something wrong with an encrypted https site like an invalid certificate. Using an unencrypted site is NOT seen as insecure as it would annoy users during most of their normal browsing sessions.
Indeed, it drives me nuts that a self-signed SSL cert makes users jump through about 47 hoops to bypass, but right now I'm posting this form on Slashdot without any authentication or encryption at all and the browser is just fine with that. I have no idea if this session is being intercepted or tampered with.
Reading TFA (yes, I did) revealed next to nothing. Other than a brief mention of "From Russia with love" and that their IPs were assigned to Russia, I can't glean any useful info on who owns those servers.
Muchas Gracias, Señor Edward Snowden !
Slashdot does this automatically
$ echo QUIT | openssl s_client -connect slashdot.org:443 | openssl x509 -text
Yeah, that's just sad. You'd think a popular technology news website such as Slashdot, of all places, would be on the ball and at least support TLS traffic... but it's actually worse than that. They're not lazy (they have a GeoTrust wildcard certificate issued back in April last year) but deliberately don't want people securing their connections, hence the 302 redirection the have in place. :(
It's GNU/Linux dammit!
.... if we make it, we can break it.
beta.slashdot.org, to improve our web experience and push interactive, rich client technology to the 21st century!
Wanking on useless bling instead of doing the important. Sigh.
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:*.slashdot.org, DNS:slashdot.org
I've seen lots of people using Tor - I run a relay - but I have no idea what they're using it for, or how legal that use is in my or their jurisdiction. Which is kind of the point.
Have anybody ever in here seen anyone using Tor for legal purposes?
Yes, all the time.
People even visit Slashdot using Tor.
Some folks use it all the time -- so all their ordinary daily browsing activity might go through tor.
Even if this were to occur and you are on a bad exit node, wouldn't you still get a warning from the browser about the certificate being bad?
>Sorry, but modern browsers don't really address that.
Yes, they do, but so few servers use it yet that it's still a problem.
http://en.wikipedia.org/wiki/H...
Isn't it kind of obvious that Tor would be a target to be attacked?
Between government agencies and other shady characters, I should think that as soon as you announce you've got something which provides anonymity, someone would be trying to break it.
Sure, they've identified some specific things, but did anybody actually believe Tor and things like it wouldn't be targets?
Lost at C:>. Found at C.
How does any of that help the fact HTTPS://slashdot.org/ returns a 302 redirection back to HTTP://slashdot.org/ ???
Setting up a special "secure" website with SSL certificate is pretty useless if you only redirect to a single non-encrypted URL.
Unless of course you are claiming HTTP(no S) is encrypted with magic or something, which seems to be what you are implying by pointing out the TLS server/client auth lines in that certificate that won't even apply.....
Bah, it's double-ROT13, that should be secure enough for anybody, right?
Lost at C:>. Found at C.
Except said bad exit node already compromises HTTPS by doing a MITM attack. because it literally IS a MITM. Just like an exit node can compromise SSH as well.
Basically the exit nodes see that you're trying to establish an HTTPS connection and return you a self-signed cert to encrypt data with that they decrypt, and the re-encrypt with the real key to the site.
Your browser will detect the fault since the certificate doesn't have a path to a known root CA. The question is, will the user know, care or not bother?
Basically the paper isn't saying anything new - exit nodes are known to have the ability to spy on Tor users (and with enough spying, be able to identify them). It's just that some nodes are a bit more sophisticated and perform MITM attacks on otherwise-encrypted connections.
And heck, didn't the NSA run something like the largest crowd of exit nodes because of this?
With regards to the SSL stuff? Should I disable all SSL certs in the browser and then enable only the ones that my https sites ask for? Or is it safe to leave them alone. Or will it break everything if I disable them since I won't know which to turn back on? And what about non-browser ssl traffic? Does the update service use ssl libraries too? Isnt there a separate certs list for ssl programs that are not browsers?
People have to stop hanging their hopes for privacy on HTTPS/PKI and also a network (Tor) built on the premise of accessing an insecure web.
If there is going to be any real privacy on the Internet going forward, it will have to be based on a new layer like the Invisible Internet Project (I2P). People should start using it now in a P2P fashion -- securing emails, chats, torrents and such -- and in time there is a chance the momentum will attract larger and larger web services, too. Make a habbit of telling people you can be reached at your I2P address (in this sense, it becomes no more onerous than installing an app like Skype).
Subscribers get HTTPS.