WARNING: The SuperList is vulnerable to MITM attacks if checked via tor

There's always talk of people getting phished despite getting their market links via the superlist. Everyone, me included, assumes the user was at fault and made an obvious mistake somewhere.

Yesterday I believe I was presented with a phishing link to DHL via the superlist. I believe this was as a result of a naughty tor exit node performing a MITM attack and replacing a URL with a bad one.

Why do I believe this was the case?

Yesterday I was setting up a tails USB, a process I've been through many times. I checked the PGP sig of the file and carried on as normal. Once setup, I went to add some market links as bookmarks so navigated to the superlist.

I added the markets as usual. DHL would not load but there was a post about DHL being down yesterday so I didn't give it too much thought.

Today it would still not load, so I checked dnstats which said it was up... strange... went to look for an alternative link... and noticed the only entry on the superlist was different to the URL I had received yesterday! (Sadly, I deleted the bad URL a few hours ago and only thought to make a public warning later)

I can be certain that:

  1. The PGP sig of the Tails iso checked out.
  2. I did not install anything on Tails, it is a plain vanilla install, I haven't even imported my PGP keys yet.
  3. I got all the links from the superlist.

Is this even possible? Yes! We know MITM attacks on tor just like this are possible and have been observed in the wild (see LBC's FAQ).

I know the full URLs of my most regularly used markets off the top of my head but I rarely login to DHL which is what threw me.

TL;DR: it is possible a malicious exit node is currently replacing superlist URLs so we need to be extra vigilant and double check them. You can no longer assume URLs served from the superlist are 100% legit if checked via tor.


Comments


[25 Points] alpplz:

Stay vigilant, folks; and inform the community there seems to be fuckery.


[16 Points] Seraphim_X:

Would this mean that even accessing this site through TOR is a vulnerablity?


[11 Points] SumBaiDee:

Besides 2-FA, is there anything else we can do to protect ourselves? I know a lot of noobs (like myself) get directed to use the superlist.


[7 Points] Thoughtsofamaniac:

2-FA, 2-FA, 2-FA. Cannot stress it enough.


[5 Points] weedandsyrup:

1 + vote = 1 prayer


[2 Points] penguinmixer:

There are 2 main types of MITM attacks commonly performed by tor exit nodes:

  1. Redirecting you to a look-alike URL (e.g. www.redd1t.com instead of www.reddit.com). How to defeat this: a) Always type in the full URL INCLUDING the https part when connecting to clearnet sites. If you type in the https part explicitly then your browser will not accept a redirection to a look-alike site because it will be expecting a certificate issued to that domain name that you typed in. b) Enable HTTPS-anywhere. c) Study your address bar carefully and make sure the domain name is correct before trusting anything on that site.

  2. Using a self-signed certificate to present you with a web site that looks like the real https://www.reddit.com but isn't. How to defeat this: When this attack is performed you will get an error in your browser. Do NOT click OK or ACCEPT if presented with a self-signed certificate warning by your tor browser. If you get a self-signed certificate warning when visiting any well-known site then you are dealing with a bad exit node. Click the onion button in your browser and select "New Tor Circuit for this Site" to get off that exit node.

Additional piece of advice: Store your trusted onion links in your password manager. Copy and paste out of your password manager whenever you want to visit the site.


[2 Points] kustom_kush:

If you make sure your going to https://reddit.com (notice the https) you wont be vulnerable to the attack described, As long as you physically type that url in (or bookmark it) And then don't ignore the big warning tor browser gives you if someone tried to fake the certificate you will be fine. OP is just fear mongering.


[1 Points] None:

[deleted]


[1 Points] macrocrystalline:

What are your HTTPS-Everywhere addon settings like? Did you configure it at all? Did you get a certificate missmatch warning upon visiting https://www.reddit.com?


[1 Points] isthismdma:

So the easiest solution would be to use the non-Tor ("unsafe") browser in Tails, right?


[1 Points] jack19056:

What you are saying can't happen since reddit is HTTPS. It means the tor exit nodes cant know what webpage you are visiting. It only knows you are connected to reddit's server.


[0 Points] None:

Sad, Tor is fucked


[0 Points] crushdudes:

The tor browser bundle comes with https-everywhere. This is not an issue.