Stack Exchange

Tor: Exploiting the weakest link

2012-04-10 by . 9 comments

Post to Twitter

Since the birth of the internet, there has been censorship. People have always been looking for ways to anonymously access the internet, either by proxy or VPN, however these still (can) log traffic origin and destination.

Since a few years there have been a few projects to anonymize traffic. One of the more famous ones is Tor (The Onion Router).

How Tor works

Tor uses servers and clients. When you request a webpage from your client, Tor will make an encrypted request to a randomly selected relay server called an Onion router. This Onion router knows who you are. Next thing the router does is ask another Onion router to relay the message. This second Onion router only knows the first Onion router. The second asks a third, the third asks the fourth, etc. No single router knows the complete route, however the client does.

The client can access a database which holds all the relays and if he wants, he can select his own route or a random route is selected. He then gets all the public keys for the route and encrypts his message in reverse order, starting with the public key of the last node, than the one to last node, etc. So the encryption is layered (just like the layers of an onion). However there is also a message for every node that contains the next hop. Now at the exit router the message is decrypted completely and the request for the webpage is made. For the webserver that serves the question, the client’s IP is the IP of the exit node.

The weakest link

So traffic is encrypted multiple times and relayed through different servers. This ensures anonymity. However… everyone can set up a Tor exit node … and everyone that has an exit node, can monitor the traffic.

The weakness in this technology is one we find in other technologies as well, the so called “user”.

A lot of people are concerned about their anonymity and figure they are safe when using Tor. They forget that when using a physical line or an encrypted Wifi AP, The chances of getting a Man in the Middle Attack (MMA) is small.

Now because we can easily host an exit node, we can sniff traffic from people who think they are anonymous, a lot of people in fact. At 20 Mbit (the max speed we allowed Tor to use), we got about 200 different Facebook sessions a day.

Facebook

Users forget about certain things, like facebook over https. I’ve heard people say “I’ve enabled https on my facebook account, so when I log in, I’m safe.” Well that’s good for them but they forget that often, if you do not explicitly state https for the facebook login page, your password and username is sent PLAIN TEXT over the internet. Facebook doesn’t know you want a secure line before you are logged in.Obviously this goes up for a lot of different sites other than Facebook.

The whole point of Tor is to be anonymous, but users get facebook accounts with often their full name and address on it, and then log in insecurelly.

One could write a script (and we made a proof of concept), that looks for usernames and passwords or hijacks sessions and automatically goes to a facebook like page “I am using Tor to be anonymous”.

I am not saying Tor is unsafe, all we wanted to proof is that people need to think twice before thinking they are anonymous and safe on the internet. There will always be people that want to do malicious stuff. We could have hijacked about 20 accounts in half an hour and revealed people who use Tor or get into their emailboxes. (like Dan Egerstad also prooved in 2007).

Youtube Video

The comments in the clip are in Dutch, but basically we set up a tor node and used tshark to capture traffic. We specified we were interested in http traffic coming/going from Facebook. We then took the session cookie and injected it into our browser which then automatically logs us into Facebook as that user.

Conclusion

Tor is a good anonymity provider, but like all tools, you need to use it in the correct way.

Filed under Crypto Hijack

9 Comments

Subscribe to comments with RSS.

  • CodeInChaos says:

    TOR Browser contains the https anywhere plugin, so I’m a bit surprised by your facebook numbers.

    Simple sniffing of connections is one of the most obvious issues with using TOR, and is relatively simple to mitigate.

    I’m more afraid of rogue exit points linking visits to multiple sites. Preventing this requires a lot of discipline by the user, or significantly improving software(both the browser and TOR) and possibly even protocols.

    • We had a lot of facebook traffic coming by, I think that it covered about 40% of all requests we did (we counted them but I do not have the number anymore). Some of it was indeed https, but still a lot was just plain http. I do not know why the https anywhere plugin didn’t work. We didn’t modify anything special on the exit node. You can always have a got at it yourself all the commands are displayed in the video.

  • [...] Exchange Security blog had a post discussing it. It doesn’t really provide much information since it is about a specific topic, but I like [...]

  • Dan says:

    “if you do not explicitly state https for the facebook login page, your password and username is sent PLAIN TEXT over the internet.”

    Are you sure about that?

    “<form id="login_form" action="https://www.facebook.com/login.php?login_attempt=1"&quot;

  • […] Kauffman. TOR: Exploiting the weakest link. IT Security blog, April […]

  • Chris says:

    “/etc/init.d/tor start” starts tor as: /usr/bin/tor –defaults-torrc /usr/share/tor/tor-service-defaults-torrc –hush

    how do i get rid of –hush?

  • ankush says:

    you can use sslstrip to monitor traffic over https. it strips all ssl connections and creates http connection between host and Middle node and ssl connection between middle node and end point. Victim –> attacker–> end point. http://www.thoughtcrime.org/software/sslstrip/

  • […] The Problem One major problem is that these attempts were not coming from a single IP address. Attackers will use TOR to hide themselves and to have different IPs to over-come the first obstacles that is: blocking the attacker’s source IP address. Init Solution According to this answer here, there is a script by TorProject that can give you a list of Tor Exit Nodes to your server. For example I can get a list of all exit nodes IP addresses using this url: https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=23.226.135.25&port=80 Using this list one can dynamically block all Tor traffic for an amount of time – as long as the attack is going then switch the filter off to allow people who use Tor as a way to protect their privacy (although you can still sniff all data if you’re the Exit Node – read this article for more details on that: Tor: Exploiting the weakest link) […]

  • Leave a comment

    Log in
    with Stack Exchange
    or