
SIGAINT email service targeted by 70 bad TOR exit nodes - sp332
https://lists.torproject.org/pipermail/tor-talk/2015-April/037549.html
======
BoppreH

        I know we could SSL sigaint.org, but if it is a state-actor 
        they could just use one of their CAs and mill a key.
    

Please don't use that argument. It's like not putting a lock on your door
because thieves can just bust it open anyway.

It's true at face value, but you are ignoring that a) it keeps smaller
attackers at bay and b) it makes noise when it breaks. In case of SSL the
noise is that a user receives a valid but unusual certificate, which can be
caught by something like the SSL Observatory
([http://tor.stackexchange.com/a/1879](http://tor.stackexchange.com/a/1879)).

~~~
mike_hearn
Yeah, the fact that they would make such an argument is a big red flag to stay
away from their service.

There are currently _zero_ known cases of intelligence agencies forcing CAs to
sign bogus certs. If SIGAINT is the first victim of this approach then they
will have done the whole security community a service by catching it and the
CA that was coerced will be revoked.

But if they never use SSL at all then it's wide open to anyone at all, not
even just governments. And it's hardly like governments are the only threats
against people who use such services.

~~~
wyager
>There are currently _zero_ known cases of intelligence agencies forcing CAs
to sign bogus certs.

[https://www.eff.org/deeplinks/2011/05/syrian-man-middle-
agai...](https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-
facebook)

[https://www.eff.org/deeplinks/2011/08/iranian-man-middle-
att...](https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-
against-google)

[http://securityaffairs.co/wordpress/32469/hacking/china-
runs...](http://securityaffairs.co/wordpress/32469/hacking/china-runs-mitm-
outlook.html)

[http://thehackernews.com/2014/10/chinese-government-
executes...](http://thehackernews.com/2014/10/chinese-government-executes-
mitm-attack.html)

~~~
iancarroll
> [https://www.eff.org/deeplinks/2011/05/syrian-man-middle-
> agai...](https://www.eff.org/deeplinks/2011/05/syrian-man-middle-agai..).

> The attack is not extremely sophisticated: the certificate is invalid in
> user's browsers, and raises a security warning.

> [https://www.eff.org/deeplinks/2011/08/iranian-man-middle-
> att...](https://www.eff.org/deeplinks/2011/08/iranian-man-middle-att..).

DigiNotar was compromised, not compelled.

> [http://securityaffairs.co/wordpress/32469/hacking/china-
> runs...](http://securityaffairs.co/wordpress/32469/hacking/china-runs..).

> the connection was established with a self-signed digital certificate.

> [http://thehackernews.com/2014/10/chinese-government-
> executes...](http://thehackernews.com/2014/10/chinese-government-
> executes..).

> but the company’s SSL certificate is replaced by the intruders for a self-
> signed one

~~~
higherpurpose
France did it:

[https://nakedsecurity.sophos.com/2013/12/09/serious-
security...](https://nakedsecurity.sophos.com/2013/12/09/serious-security-
google-finds-fake-but-trusted-ssl-certificates-for-its-domains-made-in-
france/)

[http://googleonlinesecurity.blogspot.com/2013/12/further-
imp...](http://googleonlinesecurity.blogspot.com/2013/12/further-improving-
digital-certificate.html)

~~~
Buge
I don't see any evidence of an intelligence agency being involved or of the CA
being forced to sign the certs.

>ANSSI has found that the intermediate CA certificate was used in a commercial
device, on a private network, to inspect encrypted traffic with the knowledge
of the users on that network.

------
sp332
From an email further down in the thread
[https://lists.torproject.org/pipermail/tor-
talk/2015-April/0...](https://lists.torproject.org/pipermail/tor-
talk/2015-April/037553.html)

 _While these relays account for 6% of the total number of exit relays, they
only sum up to 2.7% of exit probability, which is what really matters.

Almost all of them were younger than one month and they seem to have joined
the network in small batches._

[https://lists.torproject.org/pipermail/tor-
talk/2015-April/0...](https://lists.torproject.org/pipermail/tor-
talk/2015-April/037554.html)

 _the diversity here is interesting. My hunch is that we are looking at 38
popped boxes.... The question to me is: Do they all have something in common?
What was the vector of compromise?

Curiously enough, they all run Debian stable (according to the SSH version
string "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2” ALL of them spit out on port 22
— no exception!)._

~~~
matheweis
> While these relays account for 6% of the total number of exit relays, they
> only sum up to 2.7% of exit probability, which is what really matters.

If that probability is on a per-tor-session basis, that is actually not very
in favor of the user. My combinatorics are a bit rusty, but wouldn't your odds
of being in the 2.7% increase significantly each time you use the tor network?

~~~
garrettr_
Tor uses entry guards [0] to mitigate this kind of an attack.

[0]:
[https://www.torproject.org/docs/faq.html.en#EntryGuards](https://www.torproject.org/docs/faq.html.en#EntryGuards)

~~~
nullc
Entry guards do nothing for bad exits... sticking to particular exits across
sessions would significantly harm your privacy in a way that entry guards do
not.

------
atmosx
The guy apparently _sells_ the SSL for an _account upgrade_ [1], which IMHO is
kinda bad practice. The SSL is the only thing keeping away low and average
level attacks easily.

> The attacker doesn't seem to be after passwords (they probably have some of
> them now). We get less than 1 user of 42K complaining about their account
> being hijacked every 3 months.

Hm, I wonder how many of the 42k users have paid for an upgrade. I always had
the feeling that many services would have a considerable amount of
users/clients if they had a counter-part running on TOR and accepting bitcoins
(or any alt-coin).

[1]
[http://sigaintevyh2rzvw.onion/upgrade.html](http://sigaintevyh2rzvw.onion/upgrade.html)

~~~
fabulist
> The SSL is the only thing keeping away low and average level attacks easily.

The password is meant to authenticate the user to the server; the user is
meant to authenticate to other users through the use of PGP. In theory it
shouldn't be too big a deal to lose control of your password, because your
emails should all be encrypted. (Though theres certainly a lot of metadata
that someone with your password could glean that you'd much rather they
didn't.)

~~~
Buge
The MITM could insert malicious javascript, or delete all your emails.

And PGP doesn't encrypt the subject.

------
im3w1l
Re: State level actor

How much does it cost to rent 70 boxes? Not that much I imagine.

------
christop
Maybe a dumb question, but would running Tor exit node(s) on their own
server(s) help in this situation?

~~~
glass-
It is possible to run a Tor node as an exit enclave[0], ie. a node that allows
exits to its own IP address on specific ports. For example DuckDuckGo runs a
Tor node with the IP 184.72.106.52 that allows exits to 184.72.106.52 ports 80
and 443.

However newer versions of Tor do not honour enclaves for various reasons.

[0]
[https://trac.torproject.org/projects/tor/wiki/doc/ExitEnclav...](https://trac.torproject.org/projects/tor/wiki/doc/ExitEnclave)

