Researcher: Tor Users Still Targeted By MITM Attacks


Users of the Tor network are still the target of man-in-the-middle (MITM) attacks carried out via rogue exit servers, with 27 percent of the Tor network's exit node capacity at the beginning of this year. hands of the attacker. That says a security researcher with the alias "nusenu" in a new investigation .


Last year, the researcher already published research on mitm attacks against Tor users. About two million people use the Tor network every day to protect their privacy. The Tor network consists of all kinds of servers of volunteers that handle the traffic of Tor users. For example, the first server is the entry guard, which forwards the Tor user's request to the relay node. Then it goes from this server to the exit node, which sends the request to the internet.


The exit node owner can see the Tor user's traffic, but does not know who it is from. In the case of http traffic, the exit node administrator can also adjust the traffic. The attacker reported by security researcher "Nusenu" is exploiting this. The attacker removes http-to-https redirects to gain access to the unencrypted http traffic without showing the user a certificate warning in Tor Browser.


Most websites now use https. When the user only enters the domain name in the address bar, the website will load the https version of the website via an http-to-https redirect. In the currently observed attack, the attacker intercepts this redirect and places himself between the user and the requested website. The attacker establishes a secure connection between himself and the website, but sends the information to the user via the unencrypted http. The user may notice the attack because there is http and not https in the address bar.


In order not to stand out too much, the attack is only applied to certain websites. This mainly concerns crypto-related websites, including bitcoin mixer services. The attacker replaces the bitcoin address provided by the user with his own bitcoin wallet. The attacks reported by Nusenu in August last year are still taking place. On February 2 of this year, 27 percent of the exit node capacity of the Tor network was in the hands of the attacker, according to the researcher.


Malicious Tor exit nodes will be removed, but the attacker will add them back to the network. Many of these servers do not appear to have contact details. The Tor network usually consists of less than 1,500 Tor exit nodes. At the beginning of this month, more than a thousand new Tor exit nodes were added within 24 hours. The researcher notes that this sounds impressive, but most of these servers are removed almost immediately before many people use them. As a result, the risk for users was therefore small.


Nusenu states that the attacker's method is partly known, such as adjusting the bitcoin addresses. However, other attacks cannot be ruled out. "Imagine an attacker holding 27 percent of the Tor network's exit node capacity and publishing a Firefox exploit for Tor Browser before all users receive their updates," the researcher warns.


A good protection is the HTTPS-Only mode of Firefox which by default only loads https sites. The question is when and how this will be processed within Tor Browser. There are concerns among the Tor development team that regional websites in particular don't support https and how Tor Browser should handle it.

Previous Post Next Post