[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Holy shit I caught 1



On Sun, Aug 27, 2006 at 08:24:06PM -0500, Mike Perry wrote:
> I would have bet good money against this, but there actually IS a
> router on the tor network spoofing SSL certs. The router '1'
> (218.58.6.159 - $BB688E312A9F2AFFFC6A619F365BE372695CA626) is
> providing self-signed SSL certs for just about every SSL site you hit
> through it. Nice. Is there a wiki page with bad tor nodes anywhere?
> 
> Let's hear it for paranoia! Hip hip hooray.

Good catch, Mike!  As others have said, this is probably the effect of
China (or Chinese ISPs) running a MITM attack against their own
computers in order to make their Internet less secure.

I suspect we'll see this trend in a lot of exit nodes we catch as
broken: we'll detect more plausibly broken configurations than
obviously malicious ones.  After all, lots of people *do* have broken
configs.  (And if somebody is trying to do an attack, it probably
makes sense for them to keep some kind of deniability by pretending
to be broken rather than hostile.)

Another note: if people want to continue running these checks against
exits (and I hope you do!) I'd suggest you keep what, exactly, you're
checking for a secret until *after* you run each round of tests.  Then
announce the results, release the source, and think of more stuff to
test for.  Releasing the source will help other people check out
whether the network is behaving correctly, but keeping mum about what
you're checking for will keep dishonest/broken people from changing
their behavior before you can find them out.

yrs,
-- 
Nick Mathewson

Attachment: pgpJlTyZqBlgf.pgp
Description: PGP signature