[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
From: Georg Koppen <gk@xxxxxxxxxxxxxx>
Date: Fri, 14 Aug 2020 20:48:45 +0000
Autocrypt: addr=gk@xxxxxxxxxxxxxx; prefer-encrypt=mutual; keydata= mQINBFH3/woBEADHs/Q4t69Vm+mNMW0vH0Ms6HtjpzBsto/yyDAoLitmAxfMIeCuWuyuBdHR krdq9Rk5WQLYtP9eROGkuABK/UaxpLw8zkwkmqbxQ2wxytVwgonOmAFPXvPjzVy+ToJvKWJj tRGFoWwO9OEZ8q6xhVnwLUJXRQF01/XhBhU2RPzzUTHrgiY2bi6Ko34nSM8qAuidykqd/elI wE+kn4+TZ+yBC7pzwUfRK0bOqc05qtq5ooH7rYGpvdOkt9DuoFEjhLrBaL3UiP5J6D9W1Ltv 7Y239RGZyGr0wO5ClhuJwipnw6yWDt493cw4fOy7J1Lbo8dZyU4pnFIgt1Cu506/CvdQ53pR UHhCSIS/IyOiEL9PI/PPByG9UhwNQYk9U22h4MalPwa+4rZ1XA6mf5+T4QQRmghAnegPwyQw qnQzHc2ZPAal+Ill15AncyfIeMfuCLyA/TVWwQTQMzdcVwu3nljBfGOjOSTHOafBqsVlvgEo R9GB9OaTbriP7lCDJmBsgFFZ5F0m6us2pP72TpM0GMYCae7PHk7POhvcE5VJg03E3tjyQUQA zt5ZcpzjZtbcWIoYjxEJMq1Wzj0PYfZYFYZGq2lQx7xJ54gb+RlXEaKiXhDQH+EkrKZHBDWi atMbfkMWiknmn8O7VkuT4LOHsF1I9oJt1VTZ0dx2MVvk2hhs3QARAQABtCBHZW9yZyBLb3Bw ZW4gPGdrQHRvcnByb2plY3Qub3JnPokCOgQTAQgAJAIbAwULCQgHAwUVCgkICwUWAwIBAAIe AQIXgAUCUuzzUQIZAQAKCRCUNzqpS3wyI694D/90P74XiDzioGbNEH37W9P5G6unLUKp/zLf 5Ifosf6ijS5EvhKXpSXAqWu4eSpUh+i72Kr53SvzAIggWjUM61e92xt0bg4+VFaguMh6d9l0 MpDMfRJB+qoRNaDDyGk1VH9ZLBJOpTY59HcIIyg2LIMt1PHk+3npr0MnDfh/5fgyPvFRv9ZK WkKdwD4ImlqGXaxsES2pPk8tn21k7J4N8jzRAYM8oV9cMeeCbMgERilU2sRxNORs55zV6GiD A68lmwY6+OHjaKd0k+Oibs63PrTl1+P4EYBZTlXK9gSSWKiUydVP+2lQoyGVmuH0VpepEcnv zu06g+YU4TiH3f7t1chknGlEm1s872nyZo7Nd+zVDcIa4iklBMpeEsPDB6zRT7KBH+oCw5vK G+Ngjv3AO8hD2RTFHw8oAD8WPBbrOB2C9qSha/XSl7rjxTpqRillP+543xhQncC3b2x+Vk4C wlJdrjOvweMnM4xCEeg03WUeRz6a4Uuh6A9x4WZia+5Y5PrKG4GKPeBbskFdw6N0/10Gk1nF wpS42esKsrvqeltRLPzwFj0FEO+mole3y2f+iR8rJd/rik7AW9PM2YkhiF8kmcyh07GSjcCo qg7AkOJ87Bv2knZ0KYlukY5wBKK/DY55GTLGQ7w6kR/BzMOlKnru1e0+zvyZ4KijODEuaUi1 2bkCDQRdd2fNARAA129/1tcgz/gZRL9duwIxRlrN9VPMGHXs9WPjIIhbZ2xe6jN/ZwuyLIrq fM8MyzMkJYY9oDK6PhzpYkgMt7Z+s/rkFwOduxya4apwOI/gDZ//+eNiKSnXr5KA9rBjk7OF ZWEdT2/Y1u1s84o5SKVEH+N/C0Hum/CNawdldvxaviiF4DxGXi57NUIiI9dW1Gv2Mk7cCHwR Hew6BLLYUC0UyB/0qsZmVpxsu2P22wc0f5DU3ijVBOKlIWy4J49cR57glTB7KqbtZTaCSQpv 9SqamvP/BVyRg1Gk4OLPAC+kxzOWcosWThAUK7T3nlSxKEygQhZmT855l0J/fmsx0zqLL5gW 0vSV7hl6EIShhXUxIY7SZjKkPdzAdCHhAERRq4l2y41k8XEdXo8nYs2j8JaV/NFvM+h7DQOs IRExr7Kshp0gae3k6ZzhWHnm8E+iJKAOmagh43iYZFHb3c10Xg4XRjNoyxETQporYsSIkIzl 8VbtqywFqxfahxWWprePUyQhNhdb7+Xg4B2oAZcIzy15KVLtwgdopcob9KreO7nRFtlu+Wrt msnkkOqzce/XZ62PyFsRtQeaLGxwUSXBzCnpieOpRZWdx5F+c48PzEJoQxRPRbe9gXFaeRtZ erIDv/e8YLYlSkkKNkINGtxo9Olqu3/MzN2R22iCHvQNzh951XUAEQEAAYkCPAQYAQoAJhYh BDXNdMJKmxWhnhqBoZQ3OqlLfDIjBQJdd2fNAhsMBQkB49aAAAoJEJQ3OqlLfDIjQpIP/AlW NB1XFkzPB54vzoXsw9B6j0+4h6KMZKpqi06uATF34j2JMWv+xKhHsSlK3apltjX04VAhhAxQ lc3yfG2B3PfKH/Rw97/NEphNjsgqkwpGs5XWMrXlu+rIObz6rKYHtZ3wePxcGWGOizZ/yfZz Swh6iqjWEo7Q4aF0fQchAa4FY6+emg0nX9lvJMjLYXZcntz4pQ8jHLAsT9H8AH5yOT0BMjgP u72xZ9F77TdFoaoQ2LiBI/BKiN5WuLOP9NzowokRlOdUtC0kDwUzcv6LpR1qHq4d2kXssJUr 7mfVS0+EuT3XQWpNaInbiXgHcPn1C/GbqlTXDFICE5hxM081EpzEbRdneyFlInRNYMOKsiP0 7gEzm6LCG5ZK5xydVS4vCwENBDjYQQe5JpLEvLok3shud35R32muCZpDyJrYMbHQTpJ6pODO +LS1RaK/derXGylK/OT5IxQaAszM8wAMFQvQi+hGAOvF/vCvZ++so34aB258mJIFz7XKJPFO Bgfeqcz9YvrUwl6ZoQmK9t5fzYI3hRuUmRHUBBG3gBARvDTb32f//FEJfJ5nioaMClXw4Hoc jf+0Xa1DYJn/2Utjwr7HHQI6tLMDdI5VNc2L8V2axFjmmV3Sb3pQo1eT1bcNgjyuCht/WYEq CJvi1mOQRh0UKS/WV70ni0jQjlmn53ubuQINBF13aDEBEACwlExNzqrcYFVzkpWC8XKW0E14 sbecwjZGRTU7Eq0aZytEgRvG4ijAz3Bn9Z/tMTdL5a2GzGHhRx1oC9HXAGr5q9Zqz/B2Qyfn slnDN/cO6cKk5hnbIjQuPi5Eg5+oGeKGhClrRbI9OOuK0lm9tlUnAxkdOgmGz1t5FL6F+gWY M8Pam/kvvKJfqmPBtmsqSKW7ERGPZ27jqP7YddfB89UaDF4lsMkX3WTGe1gyL1CU2uFU9L93 FhxPDcUUzSntDjlVau2E7Px5sunnxVUZzM8kuCAJMg0LQ+AfNfrr0L8fOe2Z2cvkDr+efS0f VyA5+wv8svEuiRqY4Rrp5qNDiAvxAzO3y0c6gw9iYYqNnfQ7XbuiW+9Tuhcb+h1DJnR8b4YD VPMrfuga92Y3vdSNo+l3eelcvcGSxmSSZSgdqEZOmr4mJOZmXPNJUzMcdaX4jb1mg26TpntK OkR556Uot4kwfaP0m/aNqlRYergxvjXB7DYBDxWGmcDMnotfEBnTtihSWJruM56p5yddNjiw gbm07jWyJC0kI/r399KgBVXsSqKTDRpagwk3/zbYkIA2/NsENCQxp5zu6BJXdrT6Dy6F36Bc NlodzLRHGmqblZ4zCxoKnE7lmhJjr+mZzsWadyg5HRPDlQYATu4HEsbVYY590G2L9b6volHE 2Rc+T1diJQARAQABiQRyBBgBCgAmFiEENc10wkqbFaGeGoGhlDc6qUt8MiMFAl13aDECGwIF CQHj1oACQAkQlDc6qUt8MiPBdCAEGQEKAB0WIQTUttOn/VUPhD4MgOd+Q4tauRcwPgUCXXdo MQAKCRB+Q4tauRcwPh7/EACpcfyUg3rCO+YC5TO528m2aYLYlEmSsSsf/IFfst1jde0L+yuC klQIvvrylbUCutlG65CktxOAfig6o8DNfO/j4m7PADg1m5tALFKp8yWgUemv7NKc8Jl/3fM0 cgjBY+pu82QKcEmFcY9gt+C0gH5lmfBHdTKdycYJ/7TCbYgoLworKG58g9pNqiYkkBSQY2q/ XywoPrbyhRrsOmcty/uumOnpu9InDKjBxE/c3HmWTTxqr8T5caKrQdNXWkSjv5FzRQC95Ymi oQeorRnWDNSJ4UcmEohvs2m+9uWAPIMgcBKefVsKWxKK0CvZLq/tpjw8bgkpRqHL7fWXwwIF 9jH04psmfiom8pzS0fxqaVmBVUHj0PMqIimg74fUmoeJmhTR18rp+hdB3xPeX7Rq6c6Y8JDI kA7WSLx+kptHQ58YOAg3r14FoRR8mp94gDiEyQwj3bME9laBLSYKWjdkW99M5/BXU/MgaK5Q uQ0V2Dpfr753lnne+u44SS5AMc+WUVvvcwM5WdjdPrioSOotJoZGuGEU63WEHhAPb2DaEa0Z poXZIvFu14V5+0AHLgo5qsJMu2sWDO72kgx/f5bGZgpg0ubivgTmWxtB/1r4+ochKDyAJhol ZzonlhpiOLuve8lDjf2j6u2ztuKcHGDoc3LPuS8n5/KZ1FnNmplpM0TNnmcUD/9g8G2Aj4ah nUB5DJiPab2EZaoe6eufn1slNcPHAhBZyjftOM8iQ58i5HygrG48M9/zF5VQ55kc8etGN6cB L9XXrqZTcB354BcXLjrYe/1Atm3x+OI392WUi22N/BYzmMUDaB0vxh3wDO379TyoC9MAOY41 oG4YddBYQqHS1kO/CjCUlWGaG1qksowSgS1P6mn+6ZF7y90yphvo2CF/9L/eI9UsqLGfywji 97qXwBY6a38Ya2TrHlA/Qn0vepf6aSieV1SlDpFOGfeS1/tkKJgsRFZb91iI4Qz7Mex+dQQn iiG42+OwllkKFmE78MrjrspBON4FTFtrAXKGmPZqHPWFHUmSZAowX6XHK/GaEDX5y8KMcAje annxvwSUEtDtkbw4Zkx/s0uJvY2DisXjui6IybnocBp6GUSnhQRfU8kROkW3oVQ7qGNcqESU WFsBVKu+4s1fMa1KrYVwqG2zQZLQVQucIFPZFUUoEecTqaBLuQn8gxcuDMDo4x7l3KnayHdK t/PQWA08IW+NVgiRB8Nzjtbar1emzlwYd/KCkqoI4OpK+lzpjjijsvrzErTWN4jHTFk8v3pm RwN6Nq/n+uuSh7l66ZzGsI3tkw6TB365bOapmwH+QfcI40MVe0cizdqcCgyL/yyEcz0MZgoS /3KOe0GZ1A2SWewkOuVBNQF6dw==
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 14 Aug 2020 16:49:13 -0400
In-reply-to: <CA+r81TAVRUDn_OKv+cV=GGEUOowEy11yx29cbNB3LAshd23agw@mail.gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <730db076-2e22-3aae-41dc-6e3fe5952aa9@riseup.net> <CAHcjhEHhNw5vB=p-0q5nRKP+fHDAG-XmQuPi=K5GCAE10iDnQQ@mail.gmail.com> <26053174-9407-4B29-8CA3-DCB163F537D7@to-surf-and-protect.net> <20200814171235.GC4255@moria.seul.org> <732358C7-600D-4748-BDE5-31B035C2D9CD@to-surf-and-protect.net> <CA+r81TAVRUDn_OKv+cV=GGEUOowEy11yx29cbNB3LAshd23agw@mail.gmail.com>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Igor Mitrofanov:
> Is there anything Tor can do inside the Tor browser itself?
> I would understand and support something as drastic as disabling non-HTTPS,
> non-Onion connections altogether. When the user types a URL with no
> protocol prefix, the browser will assume HTTPS.
> This may break some websites, so a transition may be required. Such a
> transition can start with a warning banner, proceed to a warning page, then
> to a browser setting to enable it, and finally to disabling the capability
> for good.
> 
> The above assumes there is much less benefit in running a rogue Tor exit if
> the operator cannot see or alter the content it is relaying.

I think that assumption is not unreasonable. Yes, we are actively
thinking about trying an HTTPS-only mode out as part of a defense
against similar attacks. See the blog post[1] about it which we just
published, which should give more context for the incident as well.

Georg

[1] https://blog.torproject.org/bad-exit-relays-may-june-2020

> On Fri, Aug 14, 2020 at 1:25 PM niftybunny <
> abuse-contact@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> 
>>
>> https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac
>>
>>
>>    - There are multiple indicators that suggest that the attacker still
>>    runs >10% of the Tor network exit capacity (as of 2020–08–08)
>>
>>
>> And on this one: I trust nusenu who told me we still have massiv malicious
>> relays.
>>
>>
>>
>> On 14. Aug 2020, at 19:12, Roger Dingledine <arma@xxxxxxxxxxxxxx> wrote:
>>
>> On Thu, Aug 13, 2020 at 03:34:55PM +0200, niftybunny wrote:
>>
>> This shit has to stop. Why are the relays in question still online?
>>
>>
>> Hm? The relays are not online -- we kicked them in mid June.
>>
>> We don't know of any relays right now that are attacking users.
>>
>> Or said another way, if anybody knows of relays that are doing any attacks
>> on Tor users, ssl stripping or otherwise, please report them. I believe
>> that we are up to date and have responded to all reports.
>>
>> That said, there is definitely the uncertainty of "I wonder if those
>> OVH relays are attacking users -- they are run by people I don't know,
>> though there is no evidence that they are." We learned from this case
>> that making people list and answer an email address didn't slow them down.
>>
>> I still think that long term the answer is that we need to shift the
>> Tor network toward a group of relay operators that know each other --
>> transparency, community, relationships, all of those things that are
>> costly to do but also costly to attack:
>> https://gitlab.torproject.org/tpo/metrics/relay-search/-/issues/40001
>> https://lists.torproject.org/pipermail/tor-relays/2020-July/018656.html
>> https://lists.torproject.org/pipermail/tor-relays/2020-July/018669.html
>>
>> But the short term answer is that nobody to my knowledge has shown us
>> any current relays that are doing attacks.
>>
>> Hope that helps,
>> --Roger
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays@xxxxxxxxxxxxxxxxxxxx
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays@xxxxxxxxxxxxxxxxxxxx
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
> 
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
  - From: William Kane

References:
- [tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
  - From: nusenu
- Re: [tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
  - From: Michael Gerstacker
- Re: [tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
  - From: niftybunny
- Re: [tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
  - From: Roger Dingledine
- Re: [tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
  - From: niftybunny
- Re: [tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
  - From: Igor Mitrofanov

Prev by Author: Re: [tor-relays] Tor bandwidth scanner "longclaw" slow to the US West Coast
Next by Author: Re: [tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
Previous by thread: Re: [tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
Next by thread: Re: [tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
Index(es):
- Author
- Thread