Scientists Detect Two Dozen Computers Trying To Sabotage Tor Privacy Network 94
New submitter fynbar writes "Computer scientists have identified almost two dozen computers that were actively working to sabotage the Tor privacy network by carrying out attacks that can degrade encrypted connections between end users and the websites or servers they visit (PDF). 'Two of the 25 servers appeared to redirect traffic when end users attempted to visit pornography sites, leading the researchers to suspect they were carrying out censorship regimes required by the countries in which they operated. A third server suffered from what researchers said was a configuration error in the OpenDNS server. The remainder carried out so-called man-in-the-middle (MitM) attacks designed to degrade encrypted Web or SSH traffic to plaintext traffic. The servers did this by using the well-known sslstrip attack designed by researcher Moxie Marlinspike or another common MitM technique that converts unreadable HTTPS traffic into plaintext HTTP.'"
Re:How many is "almost two dozen" exactly? (Score:5, Informative)
Apparently the "almost two dozen" refers to the 22 that were doing MiTM attacks.
Re:HTTP/HTTPS Issues? (Score:2, Informative)
yes, EFF's HTTPS Everywhere
Re:HTTP/HTTPS Issues? (Score:5, Informative)
Not sure if joking...
http://noscript.net/features#o... [noscript.net]
https://www.eff.org/https-ever... [eff.org]
A lot of the sslstrip stuff is based off of people not noticing the page has changed to insecure, modern browsers try to address that by making it more visible than it was in the pre-FF3 era, e.g.:
https://support.mozilla.org/en... [mozilla.org]
Re:HTTP/HTTPS Issues? (Score:5, Informative)
HTTPS Everywhere doesn't stop you browsing HTTP sites it just tries to redirect you to the HTTPS version of a HTTP site if it's available. Not saying it's not useful (just not quite what the OP was suggesting). There is a spin off of HTTPS Everywhere - HTTP Nowhere that might get the job done for Firefox. Not sure what happens with embedded crap like flash etc. though and AFAIK it's a global thing - there is no 'secure only' browsing window or anything like that.
https://addons.mozilla.org/En-us/firefox/addon/http-nowhere/
Another option might be squid (or another transparent proxy) which is configured to only allow HTTPS?
Re:HTTP/HTTPS Issues? (Score:5, Informative)
Sorry, but modern browsers don't really address that. The problem with the browser warnings is their definition of insecure. You only get warnings if there is something wrong with an encrypted https site like an invalid certificate. Using an unencrypted site is NOT seen as insecure as it would annoy users during most of their normal browsing sessions. The Blackhat presentation about sslstrip from Moxie explains very clearly what the problems are. You can view it at http://www.thoughtcrime.org/so... [thoughtcrime.org]
Re:Only 24? (Score:4, Informative)
The "issue" is that an exit node can monitor or intercept outgoing connections.
This is inherent to the design, and probably can't be fixed at this level.
It's also a "feature" because it provides an incentive to run an exit node.
The solution is that end users need to be extra paranoid. TOR isn't magic security dust - it anonymizes traffic, but it also increases your exposure to attacks. It should only be used for encrypted connections, with authentication of the end point.
For "casual" users that means to always use https, always verify the certificate, and disable any root certificates you don't need.
Re:HTTP/HTTPS Issues? (Score:4, Informative)
>Sorry, but modern browsers don't really address that.
Yes, they do, but so few servers use it yet that it's still a problem.
http://en.wikipedia.org/wiki/H... [wikipedia.org]