Hacker News new | ask | show | jobs
by DaKnOb 3573 days ago
Well, it's fun to do this and learn from that, however in an exit node it's not something I'd want to do. People use Tor to surf the web anonymously (mostly) and have some privacy. There are certainly exit nodes that do this, and it has been proven by blog posts in the past, however the more nodes that don't engage in such activities, the better for the network overall.
2 comments
vog 3573 days ago
> however the more nodes that don't engage in such activities, the better for the network overall.

I'd argue that it is quite the opposite.

The more people are aware that plaintext over Tor is a really, really bad idea [1], the more people will use end-to-end encryption. In particular, they will insist that more websites switch to HTTPS. Which is actually better for the network overall, and would render most of these attacks useless.

I wonder whether the Tor browser bundle should disable plain HTTP completely, only to be enabled through some obscure config setting for the seldom use cases where this is actually needed.

[1] Tor is by definition a system of man-in-the-middle through man-in-the-middle. Why would anybody want to use that without end-to-end encryption?

link
nbraud 3573 days ago
> The more people are aware that plaintext over Tor is a really, really bad idea [1], the more people will use end-to-end encryption.

Yes, but how does your collecting logs impact overall awareness?

Even if it did (say, you make the logs available through some snazzy web interface, it gets mass media attention), how does that balance out with the users who traffic you exposed?

link
vog 3573 days ago
I didn't mean that more exit nodes should collect and share their logs. That would indeed weaken the Tor network, by facilitating traffic correlation.

I meant inspecting/manipulating the traffic if it is unencrypted. As a political statement, this should of course never actually attack the client, but instead try to raise attention by e.g. injecting a message along the lines:

    Hi, I'm a stranger and it was trivial for me to
    inject this message. Please use HTTPS to prevent
    me from doing this.
Thinking more about that, however, this may be a bad idea. People could perceive this to be a security hole in the Tor network itself, rather than HTTP itself, which could damage the reputation of Tor.
link
nxzero 3573 days ago
Would it be possible for Tor to detect sniffing by seeding the traffic with poison pills that ratted out anyone doing this in bulk?
link
j3097736 3573 days ago
Yes, see http://www.cs.kau.se/philwint/spoiled_onions/ and http://www.leviathansecurity.com/blog/the-case-of-the-modifi...
link
nxzero 3573 days ago
Makes you wonder why Tor doesn't replicate this and send the nodes ghost traffic, poison pills, block the IPs, etc.
link
makomk 3573 days ago
Last I heard, there was basically one guy handling all reports of malicious exit nodes, and I couldn't even get him to do anything about the ones very obviously intercepting traffic to Bitcoin wallets and injecting code that stole people's money
link
pjc50 3573 days ago
People are communicating with bitcoin wallets without end-to-end encryption?
link
paavokoya 3573 days ago
Sounds strenuous on an already slow network..
link
nbraud 3573 days ago
There is automated tooling out there that is used to detect misbehaving exits, like ExitMap: https://gitweb.torproject.org/user/phw/exitmap.git/
link
DaKnOb 3573 days ago
This has been done in the past: researchers visited a uniquely generated URL from Tor and then recorded which Exit Nodes visited it again. You can find their work if you google it..
link
brownbat 3573 days ago
https://chloe.re/2015/06/20/a-month-with-badonions/

"Chloe" visited unique web pages for a month last year, and also used unique credentials to log into a custom honeypot. Of the over 137,000 exit nodes tested, 15 attempted to use the credentials, 650 visited the unique websites.

Less than half of a percent, but definitely happening regularly enough to be an issue.

link
dogma1138 3573 days ago
Not really you can always mirror the wan/uplink port and do the capture on another box so even some time based / performance analysis won't show anything.
link
dkopi 3573 days ago
Port mirroring means you can only be a passive eavesdropper. Attacks like SSL mitm wouldn't work because you actually have to intercept and modify the traffic
link
dogma1138 3573 days ago
SSL MITM still won't work unless you want it to be very noticeable or you have very substantial resources.

Port mirroring is enough to capture SSL traffic and to break weak SSL keys or if you have compromised the key of the destination services (w/ some caveats like no forward secrecy etc.)

And it doesn't prevents you from executing MITM attacks from upstream or just doing specific MITM attacks from within the TOR exit node later on.

But overall there is nothing you can do to ensure that your TOR exit node, your VPN gateway or even your ISP isn't reading your traffic other than to use encrypted tunnels everywhere and even then you are for the most part only moving the problem upstream.

link
unethical_ban 3573 days ago
You can't silently mitm SSL unless you are trusted by the client.
link