Tor exit nodes attempt to spy on encrypted traffic, researchers find
19 Tor exit relays used self-signed certificates to launch man-in-the-middle attacks against HTTPS and SSH connections
IDG News Service - Computer scientists found almost 20 exit relays in the Tor anonymity network that attempted to spy on users' encrypted traffic using man-in-the-middle techniques.
The research was carried out over a period of four months by Philipp Winter and Stefan Lindskog, researchers in the PriSec (Privacy and Security) group at Karlstad University in Sweden, who recently published a paper with their findings.
The Tor network is designed to provide anonymity for users and bypass Internet censorship attempts. This is achieved by encrypting user traffic and routing it through a series of computers that act as relays and are run by volunteers before sending it to its intended destination on the Internet.
Computers that handle the final hop in the Tor network are known as exit relays. According to statistics from the Tor Project, there are about 1,000 such relays as of this month.
Even though connections between Tor relays are encrypted, traffic is returned to its original state when it leaves the network. This means that if it's not using SSL or another secure transport protocol, Tor exit relays can inspect it. That's why the Tor Project recommends the use of HTTPS -- HTTP with SSL encryption -- with all websites that support it, even if using Tor.
However, their man-in-the-middle (MitM) position allows Tor exit relays to tamper with HTTPS connections, using techniques like SSL stripping or impersonating the destination website using a rogue certificate.
The researchers built a scanning tool called exitmap that can identify exit relays behaving maliciously or abnormally and ran it on the Tor network. Over a four-month period they identified 25 bad relays that were subsequently reported to the Tor Project and blacklisted.
Fourteen relays engaged in man-in-the-middle HTTPS traffic sniffing using fake certificates, four relays did both HTTPS and SSH sniffing and one attempted only SSH sniffing. Two other relays used the sslstrip tool to force HTTPS connections over plain HTTP, one relay injected HTML code in HTTP traffic and three relays engaged in Internet censorship by blocking access to certain websites at the DNS level, intentionally or because of misconfiguration.
The relays engaged in HTTPS sniffing used self-signed certificates which lowered the attack's success rate because this triggered browser certificate errors that users would have had to manually dismiss. The Tor Project maintains and distributes a software package called the Tor Browser Bundle that contains a browser based on Mozilla Firefox and other components needed to access the Web over Tor.
The researchers believe the relays doing HTTPS or SSH traffic interception were operated by the same individual or group of individuals because they used very similar self-signed certificates, almost all of them were located in Russia on the network of a virtual private server (VPS) hosting provider and all of them ran an old version of Tor -- 0.2.2.37 -- that's uncommon among relays. Only two benign relays that used this same Tor version were identified during the scans.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- The Big Data Opportunity for HR and Finance If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
Enhance Your Virtualization Infrastructure With IBM and Vmware
Date: Wednesday, May 14, 2014, 1:00 PM EDT
Virtualization technology is now expanding beyond the server compute elements to encompass networking and storage...
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
All Encryption White Papers |