[cyphar]

It is fair to say that using unauthenticated protocols like HTTP over Tor is a pretty bad idea (and there really should be more warning bells about this in the Tor Browser). However on the TLS comment -- almost all modern websites use HSTS, so sslstrip doesn't really work any more.

[edoo]

I mean you can intercept the request, retrieve the real cert, generate a self signed cert with the exact same details, then submit that to the user and be man in the middle. Of course the user gets the blank SSL cert error page on the browser, but a percentage of those users will override and continue. Copying the cert details increases that percentage as some will actually look at the invalid cert. It is quite blatant but it is just a numbers game at that point. If you ever hit an SSL cert error with TOR you should force a new onion path.

[cyphar]

Yes, you could do that but then your node would be kicked off the Tor network (because you'd need to do it indiscriminately since you don't know who the user is you're trying to target). In addition, relays are load-balanced based on trustworthiness and bandwidth so in order to attack a significant portion of users you'd need to be running a large and trusted node (which would be hard to do if you're just doing this to attack people).

[edoo]

I wasn't aware that Tor tested services and had a trustworthiness score but an attack like that could still be quite useful for certain purposes and possibly stay well hidden. If you set something up that only did it for Google IP blocks for example it might go undetected. If you actually got shut down you could refine it by only targeting a small percentage of those users. There would be some rate of account collection, however small.

[throwaway66hack]

How about sslstrip2 ([1], check demo)? A weakness of HSTS is that is stored per domain and the exit node can also control your DNS traffic. I wonder how hard it is to pull this off as a Tor exit node, for local networks there are tools like bettercap [2].

[1] https://github.com/byt3bl33d3r/sslstrip2

[2] https://www.bettercap.org/legacy/

[cyphar]

That is a pretty neat attack, but I disagree it would be useful against Tor.

DNS traffic is funneled through a different Tor circuit than the web traffic. You'd need to apply the bad DNS to all users, which would almost certainly in your exit node being dropped from the network.

I'm also not sure how this would be handled with HSTS preload lists -- HSTS preload applies to all subdomains so you'd need to come up with a completely different domain (and protections against homograph attacks mean that avenue is restricted). It'd probably be simpler to just set up an actual website with LetsEncrypt than to bother with stripping the TLS in this manner.

[throwaway66hack]

You are right. With different Tor circuits, the attacker needs to control a lot of exit nodes to correlate the initial HTTP request to ssl-stripped page and the DNS query (to be a global adversary).