[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Holy shit I caught 1

On Sun, Aug 27, 2006 at 08:24:06PM -0500, Mike Perry wrote:
> I would have bet good money against this, but there actually IS a
> router on the tor network spoofing SSL certs. The router '1'
> ( - $BB688E312A9F2AFFFC6A619F365BE372695CA626) is
> providing self-signed SSL certs for just about every SSL site you hit
> through it. Nice. Is there a wiki page with bad tor nodes anywhere?


It's a node in China. It looks like it's not actually aiming for Tor --
rather, this fellow's Internet connection is attacking him, and Tor gets
attacked too.

I recall hearing stories about gatherings in east Asian countries suddenly
finding all their https connections man-in-the-middled.

Fortunately, Firefox catches it, and complains -- but unfortunately,
nobody takes the complaints seriously anymore.

> Is anyone else scanning? My list of hits on for this zip is awefully
> small.. It appears we may actually need to scan, folks. 

Thanks for setting this up.

I've been meaning to integrate an 'exit traffic comparison scheme'
inside the directory authorities, so they not only check reachability,
but they check whether certain sites are retrieved accurately from you
if you're an exit node. Then you are listed as 'not running' (or not
listed at all) if you're found to be funny-looking.

But I obviously haven't gotten around to this yet. Feel free to beat me
to it.

In the mean time, it looks like we need to start a policy of what Tor
servers don't get included in the directory. We can exclude servers by
key, by nickname, and by IP address/netmask. Another option is to label
them as invalid, which will cause (correctly behaving) Tors to use them
only for untrusted locations in the path. Sounds like that's the best plan
for now. Let us know if you find others and we'll treat them similarly.

>  Does anyone know if
> firefox verifies cert sigs when downloading extension updates?

I don't. Good question.