| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by opheliate 1872 days ago

In most cases, it should be okay, it's a specific scenario where MITM is possible. The issue arises if you're using Tor to access a website which gives you an address to send crypto to, and you trust that address is correct.

If it's a hidden service you're connecting to, it's fine, there's no way for a malicious exit node to alter what's sent to you. If it's a normal website (i.e: not .onion) that you're getting the address from, then the exit node could perform SSL stripping [0], an attack in which a website which would normally be served over HTTPS is served to you via HTTP, and so the malicious exit node could alter the content. In this case, the attacker could change any cryptocurrency addresses present in the website to convince you to send currency to the wrong address. It would be visible in your browser that the website is being served over HTTP, not HTTPS.

It should be noted, this scenario is getting rarer with the introduction of HSTS [1], especially in conjunction with HSTS preloading, which prevents your browser from accessing the website over plain HTTP. Tools like HTTPS Everywhere [2] can help ensure that you never access websites over plain HTTP also.

Also, this isn't a vulnerability in Tor per se, the exact same is possible without Tor, it's just that when you connect to a website via Tor, you're deliberately introducing extra hops between you and your destination, which wouldn't normally be there.

So, things that would need to come together for this attack to work: First, you're not connecting to a hidden service. Second, the website you're connecting to doesn't use HSTS, or you've not connected to them before & they're not in the preload list. Third, you aren't using a tool like HTTPS everywhere and you don't notice the website is coming to you over HTTP. Fourth, you don't verify that the address you've been given is correct independent of the website before sending a payment. This seems to me to be a fairly rare set of circumstances on the modern internet.

0: https://security.stackexchange.com/questions/41988/how-does-...

1: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

2: https://www.eff.org/https-everywhere