Spoiled Onions: Exposing Bad Tor Exit Relays
January 21st, 2014Via: Spoiled Onions:
As of January 2014, the Tor anonymity network consists of 5,000 relays of which almost 1,000 are exit relays. As the diagram to the right illustrates, exit relays bridge the gap between the Tor network and the “open” Internet. As a result, exit relays are able to see anonymised network traffic as it is sent by Tor clients.
While most exit relays are innocuous and run by well-meaning volunteers, there are exceptions: In the past, some exit relays were documented to have sniffed and tampered with relayed traffic. The exposed attacks included mostly HTTPS man-in-the-middle (MitM) and SSL stripping.
In this research project, we are monitoring all exit relays for several months in order to expose, document, and thwart malicious or misconfigured relays. In particular, we monitor exit relays with a fast and modular scanner we developed specifically for that purpose. Since September 2013, we discovered several malicious or misconfigured exit relays which are listed below. These exit relays engaged in various attacks such as SSH and HTTPS MitM, HTML injection, and SSL stripping. We also found exit relays which were unintentionally interfering with network traffic because they were subject to DNS censorship.
This project is funded by a research grant provided by Internetfonden. Previous work of ours investigated how Tor is blocked and how censorship can be circumvented.
