[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: False certificates



On Tue, Nov 28, 2006 at 06:52:29PM -0600, Mike Perry wrote:
> > bach from Germany : 212.42.236.140
> 
> Confirmed (I've found an alternate machine to do dev on, so I should
> be able to continuously scan now). Bach is self-signing certs still,
> and not just for e-gold.  It is also likely the culprit as opposed to
> an upstream ISP, since the CN name is "bach".  Based on this, I'm
> guessing they're not intending to stop anytime soon.

Yuck. Actually, Peter Palfrader just pointed out that it's probably just
an iptables screw-up. "bach" is that Tor server's nickname. It looks
like he's redirecting all outgoing port 443 requests back into his ORPort.

So, yet another instance of a non-malicious attacker. :)

> Is there any way to manually de-list this as an exit in the tor
> directory servers while we develop a way to integrate this automated
> scanning solution?

Yes, we can mark the node as invalid, and then people won't use it for
entry or exit. Down the road when more people have upgraded to 0.1.2.x,
we will instead make use of the BadExit flag we recently introduced.

Bach registered itself a while ago; I'll contact the operator and ask
him to fix his iptables.

Thanks,
--Roger