and not a single Tor hacker was surprised...

22 Jan 2014

      Scientists detect “spoiled onions” trying to sabotage Tor privacy network
Rogue Tor volunteers perform attacks that try to degrade encrypted connections.
 by Dan Goodin - Jan 21 2014, 2:42pm PST
http://arstechnica.com/security/2014/01/scientists-detect-spoiled-onions-try...

or reason #16256 to crypto end to end...

---

Computer scientists have identified almost two dozen computers that
were actively working to sabotage the Tor privacy network by carrying
out attacks that can degrade encrypted connections between end users
and the websites or servers they visit.

The "spoiled onions," as the researchers from Karlstad University in
Sweden dubbed the bad actors, were among the 1,000 or so volunteer
computers that typically made up the final nodes that exited the
Tor—short for The Onion Router—network at any given time in recent
months. Because these exit relays act as a bridge between the
encrypted Tor network and the open Internet, the egressing traffic is
decrypted as it leaves. That means operators of these servers can see
traffic as it was sent by the end user. Any data the end user sent
unencrypted, as well as the destinations of servers receiving or
responding to data passed between an end user and server, can be
monitored—and potentially modified—by malicious volunteers. Privacy
advocates have long acknowledged the possibility that the National
Security Agency and spy agencies across the world operate such rogue
exit nodes.

The paper—titled Spoiled Onions: Exposing Malicious Tor Exit Relays—is
among the first to document the existence of exit nodes deliberately
working to tamper with end users' traffic (a paper with similar
findings is here). Still, it remains doubtful that any of the 25
misconfigured or outright malicious servers were operated by NSA
agents. Two of the 25 servers appeared to redirect traffic when end
users attempted to visit pornography sites, leading the researchers to
suspect they were carrying out censorship regimes required by the
countries in which they operated. A third server suffered from what
researchers said was a configuration error in the OpenDNS server.

The remainder carried out so-called man-in-the-middle (MitM) attacks
designed to degrade encrypted Web or SSH traffic to plaintext traffic.
The servers did this by using the well-known sslstrip attack designed
by researcher Moxie Marlinspike or another common MitM technique that
converts unreadable HTTPS traffic into plaintext HTTP. Often, the
attacks involved replacing the valid encryption key certificate with a
forged certificate self-signed by the attacker.

"All the remaining relays engaged in HTTPS and/or SSH MitM attacks,"
researchers Philipp Winter and Stefan Lindskog wrote. "Upon
establishing a connection to the decoy destination, these relays
exchanged the destination's certificate with their own, self-signed
version. Since these certificates were not issued by a trusted
authority contained in TorBrowser's certificate store, a user falling
prey to such a MitM attack would be redirected to the about:certerror
warning page."
...
From Russia with love
The 22 malicious servers were among about 1,000 exit nodes that were
typically available on Tor at any given time over a four-month period.
(The precise number of exit relays regularly changes as some go
offline and others come online.) The researchers found evidence that
19 of the 22 malicious servers were operated by the same person or
group of people. Each of the 19 servers presented forged certificates
containing the same identifying information. The virtually identical
certificate information meant the MitM attacks shared a common origin.
What's more, all the servers used the highly outdated version 0.2.2.37
of Tor, and all but one of the servers were hosted in the network of a
virtual private system providers located in Russia. Several of the IP
addresses were also located in the same net block.

The researchers caution that there's no way to know that the operators
of the malicious exit nodes are the ones carrying out the attacks.
It's possible the actual attacks may be carried out by the ISPs or
network backbone providers that serve the malicious nodes. Still, the
researchers discounted the likelihood of an upstream provider of the
Russian exit relays carrying out the attacks for several reasons. For
one, the relays relied on a diverse set of IP address blocks,
including one based in the US. The relays frequently disappeared after
they were flagged as untrustworthy, researchers also noted.

The researchers identified the rogue volunteers by scanning for server
relays that replaced valid HTTPS certificates with forged ones. That
might have helped to detect certificate forgery attacks such as the
one used in 2011 to monitor 300,000 Gmail users—wouldn't be detected
using the methods devised by the researchers. The researchers don't
believe the malicious nodes they observed were operated by the NSA or
other government agencies.

"Organizations like the NSA have read/write access to large parts of
the Internet backbone," Karlstad University's Winter wrote in an
e-mail. "They simply do not need to run Tor relays. We believe that
the attacks we discovered are mostly done by independent individuals
who want to experiment."

While the confirmation of malicious exit nodes is important, it's not
particularly surprising. Tor officials have long warned that Tor does
nothing to encrypt plaintext communications once it leaves the
network. That means ISPs, remote sites, VPN providers, and the Tor
exit relay itself can all see the communications that aren't encrypted
by end users and the parties they communicate with. Tor officials have
long counseled users to rely on HTTPS, e-mail encryption, or other
methods to ensure that traffic receives end-to-end encryption.

The researchers have proposed a series of updates to the "Torbutton"
software used by most Tor users. Among other things, the
proof-of-concept software fix would use an alternative exit relay to
refetch all self-signed certificates delivered over Tor. The software
would then compare the digital fingerprints of the two certificates.
It's feasible that the changes might one day include certificate
pinning, a technique for ensuring that a certificate presented by
Google, Twitter, and other sites is the one authorized by the operator
rather than a counterfeit one. Several hours after this article went
live, Winter published this blog post titled What the "Spoiled Onions"
paper means for Tor users.

coderman

Kelly John Rose

coderman

rysiek

katana

rysiek

Troy Benjegerdes

Tom Ritter

rysiek

Guido Witmond

coderman

Guido Witmond

coderman

rysiek

Griffin Boyce

tags

participants (8)