7 comments

[ 2.7 ms ] story [ 22.2 ms ] thread
Surprised to see a Wooyun article translated and posted to HN. In case anyone is wondering, wooyun is a Chinese security online community like Full-Disclosure, it features a CVE like vulnerability tracking system. You can find literally thousands of Chinese software/hardware/online exploits.
Is the illustration really accurate for hidden services? If so, for what reason isn't the last hop encrypted too?
The title for this is confusing, they are talking about detecting and attacking regular Tor connections not internal hidden services (like a DarkMarket). That illustration showing not encrypted is the exit node to a regular clearnet site.

The methods for attacking hidden services (DNM) are the same as any other site such as exploiting misconfiguration, exploiting unpatched software or finding new ones, and looking for pieces of opsec like the Czech guy who's darkmarket used some obscure Czech php framework which was identified by viewing the CSS. Every so often a research paper comes out too that identifies some new scheme of analysis of guard nodes/pattern matching/fingerprinting ect to identify hidden service IPs as noted in this Wooyun article. https://news.mit.edu/2015/tor-vulnerability-0729

Snowden docs also talked about QUANTUM which was some NSA/GCHQ scheme to try race conditions against relays to lure Tor users to their own relay farm for analysis detailed here https://www.schneier.com/blog/archives/2013/10/how_the_nsa_a...

(comment deleted)
Thanks for clarifying. Exploiting vulnerabilities in the service itself, mishandling opsec and fingerprinting traffic seem obvious.