
How malicious Tor relays are exploiting users in 2020 - Santosh83
https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac
======
aasasd
I think it says something when Russian state ordered blocking of many things
on the web, iirc including VPNs—but afaik never got around to blocking Tor.
Don't really know about the entry relays, but I think the site itself would be
blocked if they decided to do it.

Though this might be due to cops wanting to keep their own local ‘war on
drugs’ going on. The statistics won't improve themselves, you know. And I know
for certain that cops are aware of Tor and what people do on it.

Edit: wow, fastest downvotes in the West are coming _immediately_ after
posting in this thread. Like, less than ten seconds passed.

Upd: somebody posted a reply but deleted it before I started typing my own
(what's even happening here?), so here goes. What I'm saying is that I can
only wonder why Russia doesn't block Tor and would very much like to know the
reason. However, I do think that the FSB might be interested in hijacking Tor
traffic, even if just for shits and giggles at first. And buying some boxes in
Hetzner probably isn't a problem for them. Don't forget also that FSB directly
works with several criminal hacker groups here, and having both their own
masqueraded Tor routes and hijacking others' traffic might be vaguely
titillating for those people.

As for blocking Tor, I already mentioned that the site would be easily blocked
with existing measures, as would relay IPs. For more covert nodes, afaik DPI
is being implemented across the providers currently, on RosKomNadzor's orders.
So I guess we might yet see Tor blocked on the protocol level (possibly along
with Telegram?).

~~~
SomeoneFromCA
Probably they want to know who is actually using Tor, instead of knowing what
is being transported through it.

~~~
reedwolf
This is the fundamental problem with TOR, and by extension, any other
anonymity client whose traffic patterns stand out from everybody else's.

Just using it makes you automatically interesting to state actors.

~~~
gruez
Hence why it's important that everybody use it for innocuous reasons. Benefit
is two-fold: it helps users with something to hide (eg. journalists, human
rights activists) stick out less, and in the event you have something to hide,
makes it less suspicious for you to use.

~~~
danaur
Tor doesn't provide enough value that users will use it. The average person
will not partake unless it gives them value or it's free. Expecting anything
else is a fantasy

~~~
aasasd
...And that's where torrent sites and government blocks come in.

I mean, UK's move against porn is even bolder, but I doubt it that Tor handles
video well.

~~~
checkyoursudo
I just tested YouTube, Vimeo, and PBSKids.

YouTube blocked the network request as suspicious though I was able to view
the main page fine; I did not try creating a new circuit.

The Vimeo video played perfectly fine.

I kept creating new circuits until the exit node was US, and then the PBSKids
video played fine.

~~~
WinonaRyder
YouTube works fine and has for years. Earlier this year Google started
blocking some requests and due to the use of a redirect you often need to
create a `New Identity` to get around it. It _usually_ helps if you visit the
youtube.com homepage first, though.

------
TedDoesntTalk
From the article:

“It appears that they are primarily after cryptocurrency related websites —
namely multiple bitcoin mixer services. They replaced bitcoin addresses in
HTTP traffic to redirect transactions to their wallets instead of the user
provided bitcoin address. Bitcoin address rewriting attacks are not new, but
the scale of their operations is. It is not possible to determine if they
engage in other types of attacks.“

------
arkadiyt
Individuals and organizations certainly run malicious exit nodes, but there's
literally not a hint of evidence in this post to backup the author's claim
that these exit nodes are operated by a single group?

~~~
brbsix
He's being intentionally vague. The attacker is obviously aware of his posts.
If he reveals how he is indentifying the relays, they will change according.

If you read between the lines, he gives a few hints with regards to the
sslstripping and traffic manipulation on only a limited set of sites.

This is from another post @ [https://medium.com/@nusenu/the-growing-problem-
of-malicious-...](https://medium.com/@nusenu/the-growing-problem-of-malicious-
relays-on-the-tor-network-2f14198af548):

> In autumn 2019 I stumbled on something odd: Tor relays doing something that
> the official tor software is unable to do. This is intentionally vague to
> avoid giving away the detection methodology to the adversary."

------
michaelt
Some parts of 'security conscious' behaviour make this attack easier: Not
saving a bookmark, or a browsing history, or cacheing any redirects between
sessions.

And that means many users are likely re-typing the URLs of the services they
want to access every time. Any Tor user who enters bitcointumbler.com instead
of [https://bitcointumbler.com](https://bitcointumbler.com) would be a target
of this attack.

~~~
aasasd
Tor Browser has ‘HTTPS Everywhere’ bundled, and I would hope that it's set up
to opt for https by default, since http is pretty much no-go with Tor.

~~~
TedDoesntTalk
But that is not always effective:

“They (selectively) remove HTTP-to-HTTPS redirects to gain full access to
plain unencrypted HTTP traffic without causing TLS certificate warnings. It is
hard to detect for Tor Browser users that do not specifically look for the
“[https://xn--ivg](https://”) in the URL bar. This is a well known attack
called “ssl stripping” that exploits the fact that user rarely type in the
full domain starting with “[https://xn--ivg](https://”). There are established
countermeasures, namely HSTS Preloading and HTTPS Everywhere, but in practice
many website operators do not implement them and leave their users vulnerable
to this kind of attack.”

~~~
MauranKilom
I don't understand how HTTPS Everywhere would be insufficient. In my
understanding you cannot visit any HTTP site while HTTPS Everywhere is active.
You would have to turn it off or add an exception.

What am I missing? Is this only an option in HTTPS Everywhere (that is not on
by default)?

~~~
bilegeek
Something like that.

By default, HTTPS Everywhere uses a list of HTTPS-capable sites. It doesn't
automatically HTTPS-ize the sites outside of that list or block HTTP
connections. You have to click the "Encrypt All Sites Eligible" option for
that, and only then will it throw an error if the site doesn't have an HTTPS
version.

Tor Browser doesn't have this enabled by default, probably because hidden
services don't require HTTPS and it would be a pain as a default.

~~~
hcs
Encrypt All Sites Eligible doesn't prevent http to .onion sites.

See the check here: [https://github.com/EFForg/https-
everywhere/blob/bcaf7bdecf14...](https://github.com/EFForg/https-
everywhere/blob/bcaf7bdecf147c2a46d7ed73bce64389d828d865/chromium/background-
scripts/background.js#L370)

Edit: Which is not to say that there aren't rules forcing some .onion sites to
https, there are. Encrypt All Sites Eligible (httpNowhereOn) just knows it
doesn't have to worry about un-rewritten http .onion addresses. So it really
is a good idea to turn it on, and think hard before allowing an exception.

~~~
bilegeek
Huh. TIL.

I guess it also depends on your threat model. If you are only browsing and in
"Safest" mode, I suppose it's tolerable. But I agree that logging into
anything requires EASE to be on.

------
tootahe45
Anyone using TOR for security or anonymity has a screw loose. Without a for-
profit model for hosting nodes we can assume the whole network is being
controlled by just a few interested actors.

It might be useful when you have your own 3 hosted nodes.

~~~
mindfulhack
I deliberately bleed my own money and energy to run a Tor node to help other
people gain freedom of information. Small scale, but proof that your absolute
statement is not grounded in reality.

~~~
zamadatix
You don't need to run every node to control the network, only most.

~~~
WinonaRyder
> You don't need to run every node to control the network, only most.

I guess it depends what you mean by _most_. We operate 8 relays, so you can
exclude 8 more from your _most_ and make of that what you will...

~~~
zamadatix
There are some 6,000+ relays active so even in the most minimal interpretation
of "most" that's ~3,000 short of most. Or subtracting the 8 specified if one
considers them trusted that's somewhere around ~3,000 (i.e. it doesn't help
you make out anything you couldn't have made out before).

------
suizi
"require a verified email address to gain the exit or guard relay flag"
Getting fresh emails is incredibly easy.

------
nielsbot
Minor complaint: I think the chart showing percentage of malicious nodes
should be 0%-100%, not 0%-[max value]%

~~~
nerdponx
I disgree. The max value is what, 24%? You really want a chart with 75% unused
blank space at the top, with all the data compressed into the bottom quarter
of the area?

------
david_draco
Block all outgoing port 80 traffic on your computer. Browsers should have that
option as well.

~~~
dane-pgp
Firefox does indeed have such an option:

[https://www.ghacks.net/2020/03/24/firefox-76-gets-
optional-h...](https://www.ghacks.net/2020/03/24/firefox-76-gets-optional-
https-only-mode/)

------
eganist
Dupe.
[https://news.ycombinator.com/item?id=24098560](https://news.ycombinator.com/item?id=24098560)

Also an editorialized title.

~~~
grzm
Posts are considered dupes if the earlier ones have gained sufficient
traction. In this case, there were few points and no comments prior to yours,
made minutes ago. As for title editorializing, the submitted title is the
subtitle of the submission, as opposed to something made up by the submitter.
If you think the title is in error, you can contact the mods (using the link
in the footer) with any suggestions.

~~~
eganist
Good to know.

Sounds more like duplicate submissions should register as an upvote on the
previous one if it's within a certain amount of time rather than posting
separately. This is a feature Reddit has had for about a decade.

Additionally, the title here states "More than 23% of Tor exit relays operated
by a single malicious actor", whereas the subtitle states ">23% of the Tor
network’s exit capacity has been attacking Tor users"

While OP's title is confirmed deep in the article ("As far as I know this is
the first time we uncovered a malicious actor running more than 23% of the
entire Tor network’s exit capacity. That means roughly about one out of 4
connections leaving the Tor network were going through exit relays controlled
by a single attacker."), this wasn't anywhere near the top nor was it the
intent of the author to make this specific point.

Anyway, emailed per request.

~~~
grzm
Again, contact the mods. Carrying on editorial discussions in the comments
largely rehashes discussion that have been made many times before.

Edit to add: thanks!

~~~
eganist
> Again, contact the mods.

4:13pm eastern time. Our messages here crossed paths, no worries.

------
SomeoneFromCA
There is an interesting growth coinciding with coronavirus pandemic. I wonder
why.

~~~
dane-pgp
Maybe the conspiracy theorists have got it backwards: 5G doesn't spread
coronavirus; coronavirus spreads 5G.

