Abstract
Tor exit relays are operated by volunteers and together push more than 1 GiB/s of network traffic. By design, these volunteers are able to inspect and modify the anonymized network traffic. In this paper, we seek to expose such malicious exit relays and document their actions. First, we monitored the Tor network after developing two fast and modular exit relay scanners—one for credential sniffing and one for active MitM attacks. We implemented several scanning modules for detecting common attacks and used them to probe all exit relays over a period of several months. We discovered numerous malicious exit relays engaging in a multitude of different attacks. To reduce the attack surface users are exposed to, we patched Torbutton, an existing browser extension and part of the Tor Browser Bundle, to fetch and compare suspicious X.509 certificates over independent Tor circuits. Our work makes it possible to continuously and systematically monitor Tor exit relays. We are able to detect and thwart many man-in-the-middle attacks, thereby making the network safer for its users. All our source code is available under a free license.
This work is the result of merging two PETS submissions. The original titles and authors were: “Spoiled Onions: Exposing Malicious Tor Exit Relays” by Winter and Lindskog, and “HoneyConnector: Active Sniffer Baiting on Tor” by Köwer, Mulazzani, Huber, Schrittwieser, and Weippl.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alexa: The top 500 sites on the web (2013), http://www.alexa.com/topsites
Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006), http://cr.yp.to/ecdh/curve25519-20060209.pdf
Le Blond, S., et al.: One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and Profile Tor Users. In: LEET. USENIX (2011), https://www.usenix.org/legacy/events/leet11/tech/full_papers/LeBlond.pdf
Le Blond, S., et al.: Spying the World from Your Laptop: Identifying and Profiling Content Providers and Big Downloaders in BitTorrent. In: LEET. USENIX (2010), https://www.usenix.org/legacy/event/leet10/tech/full_papers/LeBlond.pdf
Chakravarty, S., Portokalidis, G., Polychronakis, M., Keromytis, A.D.: Detecting Traffic Snooping in Tor Using Decoys. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 222–241. Springer, Heidelberg (2011), http://www.cs.columbia.edu/~mikepo/papers/tordecoys.raid11.pdf
Crossbear, http://www.crossbear.org
Dingledine, R.: Re: Holy shit I caught 1 (2006), http://archives.seul.org/or/talk/Aug-2006/msg00262.html
Dingledine, R., Mathewson, N.: Anonymity Loves Company: Usability and the Network Effect. In: WEIS (2006), http://freehaven.net/doc/wupss04/usability.pdf
Dingledine, R., Mathewson, N.: Tor Protocol Specification, https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=torspec.txt
Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: USENIX Security. USENIX (2004), http://static.usenix.org/event/sec04/tech/full_papers/dingledine/dingledine.pdf
Electronic Frontier Foundation. HTTPS Everywhere (2013), https://www.eff.org/https-everywhere
Goldberg, I.: On the Security of the Tor Authentication Protocol. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 316–331. Springer, Heidelberg (2006), http://freehaven.net/anonbib/cache/tap:pet2006.pdf
Haim, D.: SocksiPy - A Python SOCKS client module (2006), http://socksipy.sourceforge.net
Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security, HSTS (2012), https://tools.ietf.org/html/rfc6797
Hodges, J., Jackson, C., Barth, A.: RFC 6797: HTTP Strict Transport Security, HSTS (2012), https://tools.ietf.org/html/rfc6797
Huber, M., Mulazzani, M., Weippl, E.: Tor HTTP Usage and Information Leakage. In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 245–255. Springer, Heidelberg (2010), http://freehaven.net/anonbib/cache/huber2010tor.pdf
InformAction. NoScript (2013), http://noscript.net
Known Bad Relays, https://trac.torproject.org/projects/tor/wiki/doc/badRelays
Thoughtcrime Labs. Convergence (2011), http://convergence.io
Langley, A.: Public key pinning (2011), https://www.imperialviolet.org/2011/05/04/pinning.html
Lowe, G., Winters, P., Marcus, M.L.: The Great DNS Wall of China. Tech. rep. New York University (2007), http://cs.nyu.edu/~pcw216/work/nds/final.pdf
Marlinspike, M.: sslstrip, http://www.thoughtcrime.org/software/sslstrip/
Marlinspike, M.: tortunnel, http://www.thoughtcrime.org/software/tortunnel/
McCoy, D., Bauer, K., Grunwald, D., Kohno, T., Sicker, D.C.: Shining Light in Dark Places: Understanding the Tor Network. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 63–76. Springer, Heidelberg (2008), http://homes.cs.washington.edu/~yoshi/papers/Tor/PETS2008_37.pdf
Paul, R.: Security expert used Tor to collect government e-mail passwords (2007), http://arstechnica.com/security/2007/09/security-expert-used-tor-to-collect-government-e-mail-passwords/
Perry, M., Clark, E., Murdoch, S.: The Design and Implementation of the Tor Browser [DRAFT] (2013), https://www.torproject.org/projects/torbrowser/design/
SkullSecurity. Passwords (2011), https://wiki.skullsecurity.org/Passwords
SoftCom, Inc. Email Hosting Services, http://mail2web.com
The Tor Project. ExoneraTor, https://exonerator.torproject.org
The Tor Project. Relays with Exit, Fast, Guard, Stable, and HSDir flags, https://metrics.torproject.org/network.html#relayflags
The Tor Project. Snakes on a Tor, https://gitweb.torproject.org/torflow.git/tree/HEAD:/NetworkScanners/ExitAuthority
The Tor Project. Stem Docs, https://stem.torproject.org
The Tor Project. TC: A Tor control protocol (Version 1), https://gitweb.torproject.org/torspec.git/blob/HEAD:/control-spec.txt
TOR exit-node doing MITM attacks, http://www.teamfurry.com/wordpress/2007/11/20/tor-exit-node-doing-mitmattacks
Torscanner, https://code.google.com/p/torscanner/
Torsocks: use socks-friendly applications with Tor, https://code.google.com/p/torsocks/
Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. In: ATC. USENIX (2008), http://perspectivessecurity.files.wordpress.com/2011/07/perspectives_usenix08.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Winter, P. et al. (2014). Spoiled Onions: Exposing Malicious Tor Exit Relays. In: De Cristofaro, E., Murdoch, S.J. (eds) Privacy Enhancing Technologies. PETS 2014. Lecture Notes in Computer Science, vol 8555. Springer, Cham. https://doi.org/10.1007/978-3-319-08506-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-08506-7_16
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08505-0
Online ISBN: 978-3-319-08506-7
eBook Packages: Computer ScienceComputer Science (R0)