[tor-bugs] #15951 [Tor]: FairPretender: Pretend as any hidden service in passive mode

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat May 9 16:01:19 UTC 2015 

#15951: FairPretender: Pretend as any hidden service in passive mode
------------------------+-----------------------------------------
     Reporter:  twim    |      Owner:  twim
         Type:  defect  |     Status:  new
     Priority:  major   |  Milestone:
    Component:  Tor     |    Version:
   Resolution:          |   Keywords:  tor, hs, descriptor, tor-hs
Actual Points:          |  Parent ID:
       Points:          |
------------------------+-----------------------------------------

Comment (by yawning):

 Replying to [comment:4 twim]:
 > Yes, "users clicking the bad" is not going to be solved here. The
 problem is that attacker doesn't need to "3. Run your HS". And this
 "protocol trickery" is even simpler than running your own HS and reflect
 data to and from the original HS. A "Normal MitM" is going to be 14+1 hops
 from a client to the legitimate HS that introduce a huge delay that may
 look suspicious (especially for HS admins). The point is that we need to
 force attackers to use the method that you described ("normal mitm") and
 not the trickery. It should be emphasized that all you need to do as an
 attacker is just to upload a HSDesc from time to time.

 I'm unconvinced:
  * At some point, the adversary will need to run their own HS to do
 anything actually harmful.
  * An attacker can host their HS on a pwned box or something, and use 1
 hop circuits to the RP and the victim HS's RP to cut out most of the
 latency.
  * Mitigation exists in the form of a self signed SSL cert if HS operators
 currently care about this.  The lack of a trust root is irrelevant, as
 long as the user doesn't compound "clicking on the bad" with "accepted a
 SSL cert with an incorrect DN", the adversary at that point has to mount a
 full MITM.

 I stand by my assessment, but will still defer to nickm on this.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15951#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list