Skip to main content
SpringerLink
Log in

Spoiled Onions: Exposing Malicious Tor Exit Relays

  • Conference paper
Privacy Enhancing Technologies (PETS 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8555))

Included in the following conference series:

Abstract

Tor exit relays are operated by volunteers and together push more than 1 GiB/s of network traffic. By design, these volunteers are able to inspect and modify the anonymized network traffic. In this paper, we seek to expose such malicious exit relays and document their actions. First, we monitored the Tor network after developing two fast and modular exit relay scanners—one for credential sniffing and one for active MitM attacks. We implemented several scanning modules for detecting common attacks and used them to probe all exit relays over a period of several months. We discovered numerous malicious exit relays engaging in a multitude of different attacks. To reduce the attack surface users are exposed to, we patched Torbutton, an existing browser extension and part of the Tor Browser Bundle, to fetch and compare suspicious X.509 certificates over independent Tor circuits. Our work makes it possible to continuously and systematically monitor Tor exit relays. We are able to detect and thwart many man-in-the-middle attacks, thereby making the network safer for its users. All our source code is available under a free license.

This work is the result of merging two PETS submissions. The original titles and authors were: “Spoiled Onions: Exposing Malicious Tor Exit Relays” by Winter and Lindskog, and “HoneyConnector: Active Sniffer Baiting on Tor” by Köwer, Mulazzani, Huber, Schrittwieser, and Weippl.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alexa: The top 500 sites on the web (2013), http://www.alexa.com/topsites

  2. Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006), http://cr.yp.to/ecdh/curve25519-20060209.pdf

    Chapter  Google Scholar 

  3. Le Blond, S., et al.: One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and Profile Tor Users. In: LEET. USENIX (2011), https://www.usenix.org/legacy/events/leet11/tech/full_papers/LeBlond.pdf

  4. Le Blond, S., et al.: Spying the World from Your Laptop: Identifying and Profiling Content Providers and Big Downloaders in BitTorrent. In: LEET. USENIX (2010), https://www.usenix.org/legacy/event/leet10/tech/full_papers/LeBlond.pdf

  5. Chakravarty, S., Portokalidis, G., Polychronakis, M., Keromytis, A.D.: Detecting Traffic Snooping in Tor Using Decoys. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 222–241. Springer, Heidelberg (2011), http://www.cs.columbia.edu/~mikepo/papers/tordecoys.raid11.pdf

    Chapter  Google Scholar 

  6. Crossbear, http://www.crossbear.org

  7. Dingledine, R.: Re: Holy shit I caught 1 (2006), http://archives.seul.org/or/talk/Aug-2006/msg00262.html

  8. Dingledine, R., Mathewson, N.: Anonymity Loves Company: Usability and the Network Effect. In: WEIS (2006), http://freehaven.net/doc/wupss04/usability.pdf

  9. Dingledine, R., Mathewson, N.: Tor Protocol Specification, https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=torspec.txt

  10. Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: USENIX Security. USENIX (2004), http://static.usenix.org/event/sec04/tech/full_papers/dingledine/dingledine.pdf

  11. Electronic Frontier Foundation. HTTPS Everywhere (2013), https://www.eff.org/https-everywhere

  12. Goldberg, I.: On the Security of the Tor Authentication Protocol. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 316–331. Springer, Heidelberg (2006), http://freehaven.net/anonbib/cache/tap:pet2006.pdf

    Chapter  Google Scholar 

  13. Haim, D.: SocksiPy - A Python SOCKS client module (2006), http://socksipy.sourceforge.net

  14. Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security, HSTS (2012), https://tools.ietf.org/html/rfc6797

  15. Hodges, J., Jackson, C., Barth, A.: RFC 6797: HTTP Strict Transport Security, HSTS (2012), https://tools.ietf.org/html/rfc6797

  16. Huber, M., Mulazzani, M., Weippl, E.: Tor HTTP Usage and Information Leakage. In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 245–255. Springer, Heidelberg (2010), http://freehaven.net/anonbib/cache/huber2010tor.pdf

    Chapter  Google Scholar 

  17. InformAction. NoScript (2013), http://noscript.net

  18. Known Bad Relays, https://trac.torproject.org/projects/tor/wiki/doc/badRelays

  19. Thoughtcrime Labs. Convergence (2011), http://convergence.io

  20. Langley, A.: Public key pinning (2011), https://www.imperialviolet.org/2011/05/04/pinning.html

  21. Lowe, G., Winters, P., Marcus, M.L.: The Great DNS Wall of China. Tech. rep. New York University (2007), http://cs.nyu.edu/~pcw216/work/nds/final.pdf

  22. Marlinspike, M.: sslstrip, http://www.thoughtcrime.org/software/sslstrip/

  23. Marlinspike, M.: tortunnel, http://www.thoughtcrime.org/software/tortunnel/

  24. McCoy, D., Bauer, K., Grunwald, D., Kohno, T., Sicker, D.C.: Shining Light in Dark Places: Understanding the Tor Network. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 63–76. Springer, Heidelberg (2008), http://homes.cs.washington.edu/~yoshi/papers/Tor/PETS2008_37.pdf

    Chapter  Google Scholar 

  25. Paul, R.: Security expert used Tor to collect government e-mail passwords (2007), http://arstechnica.com/security/2007/09/security-expert-used-tor-to-collect-government-e-mail-passwords/

  26. Perry, M., Clark, E., Murdoch, S.: The Design and Implementation of the Tor Browser [DRAFT] (2013), https://www.torproject.org/projects/torbrowser/design/

  27. SkullSecurity. Passwords (2011), https://wiki.skullsecurity.org/Passwords

  28. SoftCom, Inc. Email Hosting Services, http://mail2web.com

  29. The Tor Project. ExoneraTor, https://exonerator.torproject.org

  30. The Tor Project. Relays with Exit, Fast, Guard, Stable, and HSDir flags, https://metrics.torproject.org/network.html#relayflags

  31. The Tor Project. Snakes on a Tor, https://gitweb.torproject.org/torflow.git/tree/HEAD:/NetworkScanners/ExitAuthority

  32. The Tor Project. Stem Docs, https://stem.torproject.org

  33. The Tor Project. TC: A Tor control protocol (Version 1), https://gitweb.torproject.org/torspec.git/blob/HEAD:/control-spec.txt

  34. TOR exit-node doing MITM attacks, http://www.teamfurry.com/wordpress/2007/11/20/tor-exit-node-doing-mitmattacks

  35. Torscanner, https://code.google.com/p/torscanner/

  36. Torsocks: use socks-friendly applications with Tor, https://code.google.com/p/torsocks/

  37. Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. In: ATC. USENIX (2008), http://perspectivessecurity.files.wordpress.com/2011/07/perspectives_usenix08.pdf

Download references

Author information

Authors and Affiliations

  1. Karlstad University, Sweden

    Philipp Winter & Stefan Lindskog

  2. SBA Research, Austria

    Martin Mulazzani, Markus Huber, Sebastian Schrittwieser & Edgar Weippl

  3. FH Campus Wien, Austria

    Richard Köwer

Authors
  1. Philipp Winter
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Richard Köwer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Martin Mulazzani
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Markus Huber
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Sebastian Schrittwieser
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Stefan Lindskog
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Edgar Weippl
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University College London, Gower Street, WC1E 6BT, London, UK

    Emiliano De Cristofaro

  2. Computer Laboratory, University of Cambridge, 15 JJ Thomson Avenue, CB3 0FD, Cambridge, UK

    Steven J. Murdoch

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Winter, P. et al. (2014). Spoiled Onions: Exposing Malicious Tor Exit Relays. In: De Cristofaro, E., Murdoch, S.J. (eds) Privacy Enhancing Technologies. PETS 2014. Lecture Notes in Computer Science, vol 8555. Springer, Cham. https://doi.org/10.1007/978-3-319-08506-7_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-08506-7_16

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-08505-0

  • Online ISBN: 978-3-319-08506-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation