[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] One way to protect onions against cloning attack

To: Tor Talk <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-talk] One way to protect onions against cloning attack
From: "Nurmi, Juha" <juha.nurmi@xxxxxxxx>
Date: Wed, 9 Mar 2016 10:20:50 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 09 Mar 2016 03:21:02 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ahmia-fi.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=+gSsFiuHZVh+YsZiOeRzq7Qc7qDQWFPzBkzzCMyr7eU=; b=dXV9fVAEVMvkF0+bHuMhFaxdqTEh5Jdk6q+1APrD1d4Ap+Hx4JCgHjKoTyOC/E9dcO Xbzm3wL8k9GXTcmJCG3JR68AbRlaxgYsScUmwMPdxNzXA3XMP7SgHPkfG+GA+JHMWJ7B gC8ZTJZRrqA/pSY4N4QKgTP3h5SvEPn/dj9puZuJtyf290b3PxC9dnhIpUmfh+3HJI4K c4K2H+JTOEYtsudeSI0zDxvG2zj2hcarHB807qX21FB2jr/sHjD8rz0BnnybE9yaZ4kg d38MIurJDiJqqf5iGWL8+CX70JL9FFoZe+nPGK1s8Jazo0uekKRz/v2XO5EZHtyAx+bd NO/w==
In-reply-to: <CAJ8LpWqUDLr0VcQ3q-E1oeBW887Exbw_fXOdopq6Hhzy7=3MCA@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CAJ8LpWqUDLr0VcQ3q-E1oeBW887Exbw_fXOdopq6Hhzy7=3MCA@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

And the attacker immediately started to override CSS rules. I made a
counter attack again. See

REAL: http://msydqstlz2kzerdg.onion/
FAKE: http://msydqjihosw2fsu3.onion/

Let's see what is the next move from the attacker. He is probably reading
this mailing list.

-Juha


On Tue, Mar 8, 2016 at 2:50 PM, Nurmi, Juha <juha.nurmi@xxxxxxxx> wrote:

> Hi,
>
> As you may have heard someone runs fake sites on a similar address to the
> original ones and tries to fool people with that. Fake sites are transparent
> proxies with MITM.
>
> I added this detection to ahmia.fi's onion site:
>
> REAL: http://msydqstlz2kzerdg.onion/
> FAKE: http://msydqjihosw2fsu3.onion/
>
> This is a CSS trick and works without JavaScript. CSS checks the address
> using regexp and if it is not correct it will activate warning text.
>
> @-moz-document
> regexp('(?!https?://ahmia\\.fi|https?://localhost|https?://127\\.0\\.0\\.1|
> http://msydqst.*2kzerdg\\.onion).*') {
>
> /* Alternative CSS content rules for fake site. */
>
> }
>
> It's not perfect solution but again we can make the attacker's life hard.
>
> Peace,
> Juha
>
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] One way to protect onions against cloning attack
  - From: Nurmi, Juha

Prev by Author: [tor-talk] One way to protect onions against cloning attack
Next by Author: [tor-talk] Cloudflare: option available to whitelist the Tor "country" (T1)
Previous by thread: [tor-talk] One way to protect onions against cloning attack
Next by thread: [tor-talk] How to specify exit node country for TorBrowser?
Index(es):
- Author
- Thread