Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Researchers discover Spoiled Onions: Evil Tor exit relays spying on Facebook users

Ms Smith (Network World) | Jan. 23, 2014
First Microsoft remotely deleted Tor from 2 million PCs to takedown the Sefnit botnet, then researchers found a few malicious exit relays running in Russia for MitM attacks.

Back in August, after malicious JavaScript targeted Windows machines running a Firefox 17 version customized for Tor, that zero-day vulnerability prompted the Tor Project to recommend kicking Windows to the curb. "Really, switching away from Windows is probably a good security move for many reasons." Instead "consider switching to a 'live system' approach like Tails."

Spoiled Onions
Karlstad University researchers Philipp Winter and Stefan Lindskog monitored 1,000 Tor exit relays for four months and found 25 evil exit relays. "These exit relays engaged in various attacks such as SSH and HTTPS MitM, HTML injection, and SSL stripping."

Illustration from Spoiled Onions research paper

They used a Python-based exit relay scanner to determine that someone in Russia running exit relays was spying on Facebook users as well as Tor users browsing other sites. The attacker issued a fake and malicious digital certificate in order to engage in man-in-the-middle (MitM) attacks. They found two exit relays that interfered with network traffic because of DNS censorship, basically meaning they blocked pornography, and one that was misconfigured.

Tor maintains a list of known bad Tor relays, but Spoiled Onions listed "all malicious or misconfigured exit relays we discovered since September 2013." The researchers wrote that while the list might appear scary, "it is important to understand that these are merely 25 out of more than 1,000 relays over four months!" That is "a very small fraction which means that Tor users are not likely to encounter many such relays 'in the wild'. Furthermore, Tor's path selection algorithm prefers faster relays over slower ones;" so since the malicious exit relays "contributed little bandwidth," then very few Tor users probably used them.

And even if you, as a user, happen to select a malicious exit relay, it doesn't mean that everything is lost. TorBrowser ships with extensions such as HTTPS-Everywhere which are able to foil some HTTPS-based attacks. Finally, all of the attacks we found are of course not limited to the Tor network. You might very well be more exposed to these attacks on any public WiFi.

On the Tor Project blog, the researchers wrote, all the security best practice knowledge "you already know from Firefox or Chrome also applies to TorBrowser. 

MitM attack warning in Tor

In particular, I'm referring to Firefox' warning page you might see every now and then. It says something along the lines of 'This Connection is Untrusted' or 'This is not the site you are looking for'. These warning pages should tell users that the connection to the site isn't quite right."


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.