Thousands of Tor Exit Nodes Attacked Cryptocurrency Users Over the Past Year (therecord.media) 23
For more than 16 months, a threat actor has been seen adding malicious servers to the Tor network in order to intercept traffic and perform SSL stripping attacks on users accessing cryptocurrency-related sites. From a report: The attacks, which began in January 2020, consisted of adding servers to the Tor network and marking them as "exit relays," which are the servers through which traffic leaves the Tor network to re-enter the public internet after being anonymized. But since January 2020, a threat actor has been inserting thousands of malicious servers into the Tor network to identify traffic heading to cryptocurrency mixing websites and perform an SSL stripping attack, which is when traffic is downgraded from an encrypted HTTPS connection to plaintext HTTP. The belief is that the attacker has been downgrading traffic to HTTP in order to replace cryptocurrency addresses with their own and hijack transactions for their own profit. The attacks are not new and were first documented and exposed last year, in August, by a security researcher and Tor node operator known as Nusenu. At the time, the researcher said the attacker managed to flood the Tor network with malicious Tor exit relays on three occasions, peaking their attack infrastructure at around 23% of the entire Tor network's exit capacity before being shut down by the Tor team on every occasion.
Re: (Score:2)
Why is SSL stripping even possible? (Score:3, Insightful)
Doesn't that make SSL useless?
Re:Why is SSL stripping even possible? (Score:5, Informative)
When you type in "google.com", does your browser open an HTTP connection or an HTTPS connection? (Probably you've been there before, and your browser has cached the HTTP 301 reply, permanent redirect, to https://google.com./ [google.com.] If an HTTPS stripping attack is attempted, you'll get an SSL error.)
Suppose you're going to a site for the first time in the Tor browser, or a site that uses a meta or 302 (temporary -- check again later) redirect to the https version of the site. Then you type bittokens.com, and where does your browser go? What is the default? -> Pretty good bet it's http://bittokens.com/ [bittokens.com]. (Unless you use https everywhere or comparable extension.)
Then, the site will do the "right thing". It'll send a 301 redirect, or a 302 redirect, or a meta refresh, and redirect you to the https verison of the site. However, it's already too late: the malicious attacker says, "Yep! http://bittokens.com/ [bittokens.com], here I am!!" and your browser takes it. It is, after all, what was asked for. The back-end proxy proxies your unencrypted bitcoin info to the https-encrypted site, acting as a go-between, modifying the recipient address (and logging your account and password to take the rest later) as it does so.
Notice that you won't be getting any errors about invalid certificates, because no certificates will be used. Notice that even if the site puts in form method="HTTPS" (doesn't exist), or anything else that informs the browser that the data should not be sent over an insecure link, that that can be filtered out by the proxy. The only real fix for this would be DLP: "It looks like you've entered a bitcoin address. Are you sure you want to submit this form over an insecure link?" -- and to the best of my knowledge no browser has things like that. Not even for username/password fields.
Re: (Score:3)
Then you type bittokens.com, and where does your browser go? What is the default? -> Pretty good bet it's http://bittokens.com/ [bittokens.com] [bittokens.com].
The default is https. If I enter https: and some MITM tries to redirect, my browser pitches a fit. At any rate, if I'm doing anything financial, I check the security icon before proceeding.
(Unless you use https everywhere or comparable extension.)
Yeah. Or you could just check before entering sensitive information.
Re: Why is SSL stripping even possible? (Score:2)
Security icons could be faked before. I would not trust it, even if it improved a lot since the early days where you could simply use a favicon that looked the same
Just go take a look at your browser's built-in list of TLS root certificates, and you will see that it's all a joke anyway.
ANY of those organizations could issue a certificate for some fake Google and you wouldn't know a difference.
Examples, just based on the names and prejudice for the sake of demonstration alone:
* China Financial Certification
Re: (Score:2)
Security icons could be faked before.
You can click on the icon and open the certificate and signing information.
The really evil ones will not have names that sound sketchy or foreign.
Doesn't matter. Was it signed by a trusted authority? And even more important: If its your bank or Bitcoin exchange site, does it have the same certificate fingerprint as the organization you originally set up your account with?
Re: (Score:2)
* Krajowa Izba Rozliczeniowa S.A. (Russian?)
Polish.
Re: (Score:3)
It has baffled me for a while why browsers give a huge message if your site is self signed, however nothing if it is pure http which is just worse by any sane measure of security. The request just goes through with a small icon change on the URL.
This should change, the default browser behavior should be to go to HTTPS, if that does not exist the browser should check if the HTTP exists and give a huge warning saying this site is insecure, and maybe a smaller warning for self signed, especially for a local I
Re: (Score:2)
First-visit SSL stripping (Score:2)
HSTS won't save you if the stripper is active on the first visit to a site that isn't popular enough to make it into analytics-driven preload lists.
I'm confused. (Score:2)
Thousands of Tor Exit Nodes Attacked Cryptocurrency Users
This a bad thing? I thought Elon said this stuff was a scam (on SNL). :-)
Re: (Score:2)
No, he said it's a hustle.
Revenge is a dish best served...over Tor. (Score:2)
Someone mad about the GPU shortages.
Can I help? (Score:2)
This scourge needs to be eradicated. And since shutting down that crap literally does not harm a single person, and prevents harm and massive resource wasting, there is literally not a single bad thing about it.
(No, libertaryans, preventing you from taking stuff from others is not the same thing as taking stuff from you. It is not a right to make people work or give you their money with "money" you literally made up without working. Not allowing you to make it up is not taking anything from you. It is you n
Re: (Score:1)
This Exact Same Attack... (Score:2)
I can't help but ask - in my ignorance - if the TOR network architects are working on mitigation against this attack?
For example [more ignorance] if this all boils down to our ability to trust TOR's exit nodes, maybe there's a way for those nodes [and their maintainer/operators] to establish some form of trust credibility a bit like the way that GPG is designed to work [i.e. you only sign public keys of people you trust]? Obviously it can't be "that easy" or it would have bee
Re: (Score:2)
Tor exit nodes has always been a vulnerability in the Tor network.
There is no way to fix it, because Tor lets you route your packets to exit at a random exit node - the whole point of Tor, after all. If you're going to use a "trusted" exit node, you might as well just use your internet connection regularly. Same goes for people who "log in" to sites using Tor, or do e-commerce.
Re: (Score:2)
The fix should not be in Tor.
It needs to be in your browser to not allow downgrading of a secure connection to an http connection and to properly verify the identity of the true endpoint (the crypto website) with TLS certificates.
The network is not at fault. What you're using it for is stupid and insecure.
Sigh. (Score:2)
Gosh, so you mean I can't trust random unidentifible third-party Internet endpoints?