Researcher Finds Tor Exit Node Adding Malware To Downloads

Trailrunner7 writes: A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services. Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack.

What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code. In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators. "SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted," he said via email.

So if TOR nodes can easily do it

[phorm]

Who's to say that your friendly ISP or government agency isn't doing the same? Or even better yet, how about for OS updates.

Last time I checked even my linux *.list files were referencing HTTP hosts rather than HTTPS (not that HTTPS is really much better, when gov't agencies are concerned)

Might make sense to use an SSL-enabled connection and a key that's provided with the distro.

Re:Defaults

[lgw]

Sorry, "HTTPS everywhere", not "-only" - it tries HTTPS first, which helps with a bunch of sites so you don't have to bookmark the https version specifically, but still falls back to HTTP when needed.

Everyone should use that plugin in normal browsing IMO - it will drive traffic to HTTPS, and really there's no reason for non-HTTPS sites anymore Slashdot are you listening, you HTTP-only weenies?