On Sun, Aug 27, 2006 at 08:24:06PM -0500, Mike Perry wrote: > I would have bet good money against this, but there actually IS a > router on the tor network spoofing SSL certs. The router '1' > (218.58.6.159 - $BB688E312A9F2AFFFC6A619F365BE372695CA626) is > providing self-signed SSL certs for just about every SSL site you hit > through it. Nice. Is there a wiki page with bad tor nodes anywhere? > > Let's hear it for paranoia! Hip hip hooray. Good catch, Mike! As others have said, this is probably the effect of China (or Chinese ISPs) running a MITM attack against their own computers in order to make their Internet less secure. I suspect we'll see this trend in a lot of exit nodes we catch as broken: we'll detect more plausibly broken configurations than obviously malicious ones. After all, lots of people *do* have broken configs. (And if somebody is trying to do an attack, it probably makes sense for them to keep some kind of deniability by pretending to be broken rather than hostile.) Another note: if people want to continue running these checks against exits (and I hope you do!) I'd suggest you keep what, exactly, you're checking for a secret until *after* you run each round of tests. Then announce the results, release the source, and think of more stuff to test for. Releasing the source will help other people check out whether the network is behaving correctly, but keeping mum about what you're checking for will keep dishonest/broken people from changing their behavior before you can find them out. yrs, -- Nick Mathewson
Attachment:
pgpJlTyZqBlgf.pgp
Description: PGP signature