Evidently when enough people flag a comment, one loses the ability to edit the comment. This actually makes complete sense in that it helps preserve for mods what the original comment was in the event of an abusive comment, but to add clarity since I can't edit my parent comment, the title should be what's in the original post:
"How Malicious Tor Relays are Exploiting Users in 2020"
Posts are considered dupes if the earlier ones have gained sufficient traction. In this case, there were few points and no comments prior to yours, made minutes ago. As for title editorializing, the submitted title is the subtitle of the submission, as opposed to something made up by the submitter. If you think the title is in error, you can contact the mods (using the link in the footer) with any suggestions.
Sounds more like duplicate submissions should register as an upvote on the previous one if it's within a certain amount of time rather than posting separately. This is a feature Reddit has had for about a decade.
Additionally, the title here states "More than 23% of Tor exit relays operated by a single malicious actor", whereas the subtitle states ">23% of the Tor network’s exit capacity has been attacking Tor users"
While OP's title is confirmed deep in the article ("As far as I know this is the first time we uncovered a malicious actor running more than 23% of the entire Tor network’s exit capacity. That means roughly about one out of 4 connections leaving the Tor network were going through exit relays controlled by a single attacker."), this wasn't anywhere near the top nor was it the intent of the author to make this specific point.
As grzm pointed out, it's not a dupe until the story has had significant attention. That's on purpose, to allow interesting stories multiple chances at getting attention.
I think it says something when Russian state ordered blocking of many things on the web, iirc including VPNs—but afaik never got around to blocking Tor. Don't really know about the entry relays, but I think the site itself would be blocked if they decided to do it.
Though this might be due to cops wanting to keep their own local ‘war on drugs’ going on. The statistics won't improve themselves, you know. And I know for certain that cops are aware of Tor and what people do on it.
Edit: wow, fastest downvotes in the West are coming immediately after posting in this thread. Like, less than ten seconds passed.
Upd: somebody posted a reply but deleted it before I started typing my own (what's even happening here?), so here goes. What I'm saying is that I can only wonder why Russia doesn't block Tor and would very much like to know the reason. However, I do think that the FSB might be interested in hijacking Tor traffic, even if just for shits and giggles at first. And buying some boxes in Hetzner probably isn't a problem for them. Don't forget also that FSB directly works with several criminal hacker groups here, and having both their own masqueraded Tor routes and hijacking others' traffic might be vaguely titillating for those people.
As for blocking Tor, I already mentioned that the site would be easily blocked with existing measures, as would relay IPs. For more covert nodes, afaik DPI is being implemented across the providers currently, on RosKomNadzor's orders. So I guess we might yet see Tor blocked on the protocol level (possibly along with Telegram?).
That's an interesting perspective. I live in Kazakhstan and Kazakhstan blocks popular VPNs as well. But it blocked Tor many years ago (although I think that you can access it with enough trickery, but you can't just access its website and you can't just run downloaded Tor and bootstrap it) for ordinary users.
May be there're not enough juridical grounds in Russia to block Tor. But I doubt it, they tried to block Telegram when they wanted to... May be opposition does not use Tor, so it's out of sight.
> May be there're not enough juridical grounds in Russia to block Tor
That long since stopped being a problem for the state here, in general. But also, Tor is explicitly against the law that regulates VPNs—since proxy-like services must block the same sites that are blocked by RosKomNadzor, to be allowed.
That's one of my suspicions and why I think you'd want to masquerade Tor itself behind three layers of protocols here, in light of emerging DPI. You don't want cops to knock on your door one day, with a baggie of white stuff in their pocket ready to migrate to one of yours.
Hence why it's important that everybody use it for innocuous reasons. Benefit is two-fold: it helps users with something to hide (eg. journalists, human rights activists) stick out less, and in the event you have something to hide, makes it less suspicious for you to use.
Tor doesn't provide enough value that users will use it. The average person will not partake unless it gives them value or it's free. Expecting anything else is a fantasy
I am not so sure about that. The top usage of tor is according to one study, by domain: Facebook, google, blackplanet, yandex, bittorent index, photobucket, craigslist.
YouTube works fine and has for years. Earlier this year Google started blocking some requests and due to the use of a redirect you often need to create a `New Identity` to get around it. It _usually_ helps if you visit the youtube.com homepage first, though.
"Edit: wow, fastest downvotes in the West are coming immediately after posting in this thread. Like, less than ten seconds passed."
Wow, someone is so out of touch with the culture and the conduct code of HN that they worry about the scoring system and neurotically complain about it publicly ...
from what i heard over 50% of Tor nodes in Iran run by the government to track dissidents. I can only imagine what that number is in Russia where every sever is essentially hosted in government-controlled building.
IIRC you can choose the country of the exit node for your Tor route. And I doubt it that anyone chooses Russia except when looking at what the web is like from here.
There is a lot of space to speculate on why, with only sparse data of the internal discussions within the Russian state. What little information that has leaked do show that tor is listed as something that some individuals within the government want to block, but as it stand, it hasn't happened yet.
My own guess is the simple "follow the money" default stance on issues like this. Tor is likely enabling profits for people within the government, and turning it off has low enough political benefits in comparison. Turning off a west operated VPN has likely a very different economic trade off so it get blocked while tor does not. A direct example off that, with a few implication about the Russian government, is that that tor provide access to hidden service market places while other forms of VPNs do not.
Yeah, that's also interesting to think about. Like, when you forbid something to plebs, you don't really want to cut off the ability for yourself too—there's that ‘research agency’ which needs to run things on Twitter, or whatever comes up tomorrow. So you'd think sysadmins would come up with something so others can't use Tor but you and buddies can.
But maybe that would mean giving the sysadmins too much inside info.
I also discovered recently that the FSB and company aren't considered monolithic, and a few departments are doing their own things in a sort of ‘competition’. So yeah, it might be that some of them want Tor and don't want the hassle of setting up the exclusions.
Individuals and organizations certainly run malicious exit nodes, but there's literally not a hint of evidence in this post to backup the author's claim that these exit nodes are operated by a single group?
The author hasn't laid out all of the evidence in the article, but they mention some of the factors which they probably used to identify the actors involved:
1. Explicit identification. Tor relays, including exit nodes, are identified by contact information. Many of the groups of malicious exit nodes shared contact information.
2. Benign behavioral identification. Many of the identified malicious exit nodes were deployed on the same service providers, including some obscure ones. This isn't a definitive identifier, but it helps link explicitly identified groups.
3. Malicious behavioral identification. Many of the malicious exit nodes were performing similar attacks on outbound traffic, like sslstripping traffic to cryptocurrency web sites. The exact parameters of this behavior (e.g, which sites were targeted, what modifications were made to cleartext data, etc) weren't laid out in the article, but would serve as a highly accurate fingerprint for a specific attacker.
He's being intentionally vague. The attacker is obviously aware of his posts. If he reveals how he is indentifying the relays, they will change according.
If you read between the lines, he gives a few hints with regards to the sslstripping and traffic manipulation on only a limited set of sites.
> In autumn 2019 I stumbled on something odd: Tor relays doing something that the official tor software is unable to do. This is intentionally vague to avoid giving away the detection methodology to the adversary."
Exit nodes are Tor worst feature. And it undermines the whole effort!
Makes node operators liable for all sort of legal crap. It is the best thing for Spammers. Every service of note have already blocked them all (all the ones listed publicly, but if you choose not to, you are liable for even more legal crap)
I disgree. The max value is what, 24%? You really want a chart with 75% unused blank space at the top, with all the data compressed into the bottom quarter of the area?
Some parts of 'security conscious' behaviour make this attack easier: Not saving a bookmark, or a browsing history, or cacheing any redirects between sessions.
And that means many users are likely re-typing the URLs of the services they want to access every time. Any Tor user who enters bitcointumbler.com instead of https://bitcointumbler.com would be a target of this attack.
“They (selectively) remove HTTP-to-HTTPS redirects to gain full access to plain unencrypted HTTP traffic without causing TLS certificate warnings. It is hard to detect for Tor Browser users that do not specifically look for the “https://xn--ivg in the URL bar. This is a well known attack called “ssl stripping” that exploits the fact that user rarely type in the full domain starting with “https://xn--ivg. There are established countermeasures, namely HSTS Preloading and HTTPS Everywhere, but in practice many website operators do not implement them and leave their users vulnerable to this kind of attack.”
I’m amazed the tor browser itself even allows any http connections, ever. Seems like a terrible idea 100% of the time to allow them at all when the whole thing relies on passing your data through an untrusted party.
Probably because hidden services don't need (or usually use) HTTPS, and they haven't bothered to find an easy way to automatically switch it on and off when alternating to the clearnet.
I don't understand how HTTPS Everywhere would be insufficient. In my understanding you cannot visit any HTTP site while HTTPS Everywhere is active. You would have to turn it off or add an exception.
What am I missing? Is this only an option in HTTPS Everywhere (that is not on by default)?
By default, HTTPS Everywhere uses a list of HTTPS-capable sites. It doesn't automatically HTTPS-ize the sites outside of that list or block HTTP connections. You have to click the "Encrypt All Sites Eligible" option for that, and only then will it throw an error if the site doesn't have an HTTPS version.
Tor Browser doesn't have this enabled by default, probably because hidden services don't require HTTPS and it would be a pain as a default.
Edit: Which is not to say that there aren't rules forcing some .onion sites to https, there are. Encrypt All Sites Eligible (httpNowhereOn) just knows it doesn't have to worry about un-rewritten http .onion addresses. So it really is a good idea to turn it on, and think hard before allowing an exception.
I guess it also depends on your threat model. If you are only browsing and in "Safest" mode, I suppose it's tolerable. But I agree that logging into anything requires EASE to be on.
I don't think that a site must do anything for HTTPS Everywhere to work, since it is (or should be) entirely client-side. Obviously, if you had to fetch something over HTTP before switching to HTTPS then a proxy could slip you forged info.
So, I don't know if Tor Browser works this way, but—just don't allow plain HTTP unless explicitly requested by the user? (Instead of requiring to specify HTTPS.) Weird if TB doesn't do this.
“It appears that they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address. Bitcoin address rewriting attacks are not new, but the scale of their operations is. It is not possible to determine if they engage in other types of attacks.“
Anyone using TOR for security or anonymity has a screw loose. Without a for-profit model for hosting nodes we can assume the whole network is being controlled by just a few interested actors.
It might be useful when you have your own 3 hosted nodes.
I deliberately bleed my own money and energy to run a Tor node to help other people gain freedom of information. Small scale, but proof that your absolute statement is not grounded in reality.
There are some 6,000+ relays active so even in the most minimal interpretation of "most" that's ~3,000 short of most. Or subtracting the 8 specified if one considers them trusted that's somewhere around ~3,000 (i.e. it doesn't help you make out anything you couldn't have made out before).
58 comments
[ 1.9 ms ] story [ 159 ms ] threadhttps://news.ycombinator.com/item?id=24098560
Also an editorialized title.
"How Malicious Tor Relays are Exploiting Users in 2020"
Sounds more like duplicate submissions should register as an upvote on the previous one if it's within a certain amount of time rather than posting separately. This is a feature Reddit has had for about a decade.
Additionally, the title here states "More than 23% of Tor exit relays operated by a single malicious actor", whereas the subtitle states ">23% of the Tor network’s exit capacity has been attacking Tor users"
While OP's title is confirmed deep in the article ("As far as I know this is the first time we uncovered a malicious actor running more than 23% of the entire Tor network’s exit capacity. That means roughly about one out of 4 connections leaving the Tor network were going through exit relays controlled by a single attacker."), this wasn't anywhere near the top nor was it the intent of the author to make this specific point.
Anyway, emailed per request.
Edit to add: thanks!
4:13pm eastern time. Our messages here crossed paths, no worries.
As grzm pointed out, it's not a dupe until the story has had significant attention. That's on purpose, to allow interesting stories multiple chances at getting attention.
Though this might be due to cops wanting to keep their own local ‘war on drugs’ going on. The statistics won't improve themselves, you know. And I know for certain that cops are aware of Tor and what people do on it.
Edit: wow, fastest downvotes in the West are coming immediately after posting in this thread. Like, less than ten seconds passed.
Upd: somebody posted a reply but deleted it before I started typing my own (what's even happening here?), so here goes. What I'm saying is that I can only wonder why Russia doesn't block Tor and would very much like to know the reason. However, I do think that the FSB might be interested in hijacking Tor traffic, even if just for shits and giggles at first. And buying some boxes in Hetzner probably isn't a problem for them. Don't forget also that FSB directly works with several criminal hacker groups here, and having both their own masqueraded Tor routes and hijacking others' traffic might be vaguely titillating for those people.
As for blocking Tor, I already mentioned that the site would be easily blocked with existing measures, as would relay IPs. For more covert nodes, afaik DPI is being implemented across the providers currently, on RosKomNadzor's orders. So I guess we might yet see Tor blocked on the protocol level (possibly along with Telegram?).
May be there're not enough juridical grounds in Russia to block Tor. But I doubt it, they tried to block Telegram when they wanted to... May be opposition does not use Tor, so it's out of sight.
That long since stopped being a problem for the state here, in general. But also, Tor is explicitly against the law that regulates VPNs—since proxy-like services must block the same sites that are blocked by RosKomNadzor, to be allowed.
Just using it makes you automatically interesting to state actors.
I mean, UK's move against porn is even bolder, but I doubt it that Tor handles video well.
YouTube blocked the network request as suspicious though I was able to view the main page fine; I did not try creating a new circuit.
The Vimeo video played perfectly fine.
I kept creating new circuits until the exit node was US, and then the PBSKids video played fine.
Wow, someone is so out of touch with the culture and the conduct code of HN that they worry about the scoring system and neurotically complain about it publicly ...
My own guess is the simple "follow the money" default stance on issues like this. Tor is likely enabling profits for people within the government, and turning it off has low enough political benefits in comparison. Turning off a west operated VPN has likely a very different economic trade off so it get blocked while tor does not. A direct example off that, with a few implication about the Russian government, is that that tor provide access to hidden service market places while other forms of VPNs do not.
But maybe that would mean giving the sysadmins too much inside info.
I also discovered recently that the FSB and company aren't considered monolithic, and a few departments are doing their own things in a sort of ‘competition’. So yeah, it might be that some of them want Tor and don't want the hassle of setting up the exclusions.
1. Explicit identification. Tor relays, including exit nodes, are identified by contact information. Many of the groups of malicious exit nodes shared contact information.
2. Benign behavioral identification. Many of the identified malicious exit nodes were deployed on the same service providers, including some obscure ones. This isn't a definitive identifier, but it helps link explicitly identified groups.
3. Malicious behavioral identification. Many of the malicious exit nodes were performing similar attacks on outbound traffic, like sslstripping traffic to cryptocurrency web sites. The exact parameters of this behavior (e.g, which sites were targeted, what modifications were made to cleartext data, etc) weren't laid out in the article, but would serve as a highly accurate fingerprint for a specific attacker.
If you read between the lines, he gives a few hints with regards to the sslstripping and traffic manipulation on only a limited set of sites.
This is from another post @ https://medium.com/@nusenu/the-growing-problem-of-malicious-...:
> In autumn 2019 I stumbled on something odd: Tor relays doing something that the official tor software is unable to do. This is intentionally vague to avoid giving away the detection methodology to the adversary."
Makes node operators liable for all sort of legal crap. It is the best thing for Spammers. Every service of note have already blocked them all (all the ones listed publicly, but if you choose not to, you are liable for even more legal crap)
Do not run exit nodes. Do not promote it.
https://www.ghacks.net/2020/03/24/firefox-76-gets-optional-h...
And that means many users are likely re-typing the URLs of the services they want to access every time. Any Tor user who enters bitcointumbler.com instead of https://bitcointumbler.com would be a target of this attack.
“They (selectively) remove HTTP-to-HTTPS redirects to gain full access to plain unencrypted HTTP traffic without causing TLS certificate warnings. It is hard to detect for Tor Browser users that do not specifically look for the “https://xn--ivg in the URL bar. This is a well known attack called “ssl stripping” that exploits the fact that user rarely type in the full domain starting with “https://xn--ivg. There are established countermeasures, namely HSTS Preloading and HTTPS Everywhere, but in practice many website operators do not implement them and leave their users vulnerable to this kind of attack.”
What am I missing? Is this only an option in HTTPS Everywhere (that is not on by default)?
By default, HTTPS Everywhere uses a list of HTTPS-capable sites. It doesn't automatically HTTPS-ize the sites outside of that list or block HTTP connections. You have to click the "Encrypt All Sites Eligible" option for that, and only then will it throw an error if the site doesn't have an HTTPS version.
Tor Browser doesn't have this enabled by default, probably because hidden services don't require HTTPS and it would be a pain as a default.
See the check here: https://github.com/EFForg/https-everywhere/blob/bcaf7bdecf14...
Edit: Which is not to say that there aren't rules forcing some .onion sites to https, there are. Encrypt All Sites Eligible (httpNowhereOn) just knows it doesn't have to worry about un-rewritten http .onion addresses. So it really is a good idea to turn it on, and think hard before allowing an exception.
I guess it also depends on your threat model. If you are only browsing and in "Safest" mode, I suppose it's tolerable. But I agree that logging into anything requires EASE to be on.
I don't think that a site must do anything for HTTPS Everywhere to work, since it is (or should be) entirely client-side. Obviously, if you had to fetch something over HTTP before switching to HTTPS then a proxy could slip you forged info.
So, I don't know if Tor Browser works this way, but—just don't allow plain HTTP unless explicitly requested by the user? (Instead of requiring to specify HTTPS.) Weird if TB doesn't do this.
“It appears that they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address. Bitcoin address rewriting attacks are not new, but the scale of their operations is. It is not possible to determine if they engage in other types of attacks.“
It might be useful when you have your own 3 hosted nodes.
I guess it depends what you mean by _most_. We operate 8 relays, so you can exclude 8 more from your _most_ and make of that what you will...