[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] SIGAINT email service targeted by 70 bad exit nodes



On Thu, Apr 23, 2015 at 03:03:57AM -0000, support@sigaint.org wrote:
> Today we reported 58 bad exit nodes to Philipp. He instantly found 12 more
> that
> we had missed, and there may be even more of them. (Thank you, Philipp!)

Thanks for reporting them. Exciting times we live in.

Philipp, could you count up what fraction of the network (by capacity)
these relays were? It is fun to hear big numbers like 70 relays, but at
least in the past, these attacks that involved many relays have actually
been a tiny fraction of the network's capacity -- meaning even though
it seems like a lot of relays, in practice the chance that a Tor user
will stumble across any of them remains low.

> FYI: They were added to the BadExit list just hours ago so traffic to them
> should dry up.

Yes indeed. For those who want to read more about the badexit arms race,
check out my earlier post on this topic:
https://lists.torproject.org/pipermail/tor-talk/2014-July/034219.html

> We are confident that they didn't get in. It looks like they resorted to
> rewriting the .onion URL located on sigaint.org to one of theirs so they
> could
> MITM logins and spy in real-time.

I'm sorry to hear that some jerk wants to break into your website.

> I think we are being targeted by some agency here. That's a lot of exit
> nodes.

See above question about number of relays vs capacity of the relays --
it would be great to learn more information before jumping to conclusions.
Some very dedicated jerk can probably spin up VPSes at a bunch of places,
at least for a while.

I guess that leads to the next question: how long were these relays
around, and with what patterns did they join the network?

> I know we could SSL sigaint.org, but if it is a state-actor they could just
> use one of their CAs and mill a key.

This is not great logic. You're running a website without SSL, even though
you know people are attacking you? Shouldn't your users be hassling you
to give them better options? :)

As you say, SSL is not perfect, but it does raise the bar a lot. That
seems like the obvious next step for making your website safer for
your users.

> Interestingly, we ended up becoming a sort of canary. Those exit nodes may
> have been doing other shady stuff as well.

Yes indeed. Thanks again for reporting them.

--Roger

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk