[tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)

Georg Koppen gk at torproject.org
Fri Aug 14 20:48:45 UTC 2020


Igor Mitrofanov:
> Is there anything Tor can do inside the Tor browser itself?
> I would understand and support something as drastic as disabling non-HTTPS,
> non-Onion connections altogether. When the user types a URL with no
> protocol prefix, the browser will assume HTTPS.
> This may break some websites, so a transition may be required. Such a
> transition can start with a warning banner, proceed to a warning page, then
> to a browser setting to enable it, and finally to disabling the capability
> for good.
> 
> The above assumes there is much less benefit in running a rogue Tor exit if
> the operator cannot see or alter the content it is relaying.

I think that assumption is not unreasonable. Yes, we are actively
thinking about trying an HTTPS-only mode out as part of a defense
against similar attacks. See the blog post[1] about it which we just
published, which should give more context for the incident as well.

Georg

[1] https://blog.torproject.org/bad-exit-relays-may-june-2020

> On Fri, Aug 14, 2020 at 1:25 PM niftybunny <
> abuse-contact at to-surf-and-protect.net> wrote:
> 
>>
>> https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac
>>
>>
>>    - There are multiple indicators that suggest that the attacker still
>>    runs >10% of the Tor network exit capacity (as of 2020–08–08)
>>
>>
>> And on this one: I trust nusenu who told me we still have massiv malicious
>> relays.
>>
>>
>>
>> On 14. Aug 2020, at 19:12, Roger Dingledine <arma at torproject.org> wrote:
>>
>> On Thu, Aug 13, 2020 at 03:34:55PM +0200, niftybunny wrote:
>>
>> This shit has to stop. Why are the relays in question still online?
>>
>>
>> Hm? The relays are not online -- we kicked them in mid June.
>>
>> We don't know of any relays right now that are attacking users.
>>
>> Or said another way, if anybody knows of relays that are doing any attacks
>> on Tor users, ssl stripping or otherwise, please report them. I believe
>> that we are up to date and have responded to all reports.
>>
>> That said, there is definitely the uncertainty of "I wonder if those
>> OVH relays are attacking users -- they are run by people I don't know,
>> though there is no evidence that they are." We learned from this case
>> that making people list and answer an email address didn't slow them down.
>>
>> I still think that long term the answer is that we need to shift the
>> Tor network toward a group of relay operators that know each other --
>> transparency, community, relationships, all of those things that are
>> costly to do but also costly to attack:
>> https://gitlab.torproject.org/tpo/metrics/relay-search/-/issues/40001
>> https://lists.torproject.org/pipermail/tor-relays/2020-July/018656.html
>> https://lists.torproject.org/pipermail/tor-relays/2020-July/018669.html
>>
>> But the short term answer is that nobody to my knowledge has shown us
>> any current relays that are doing attacks.
>>
>> Hope that helps,
>> --Roger
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
> 
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200814/84e6641b/attachment.sig>


More information about the tor-relays mailing list