100+ TOR HSDir "DNS nodes" caught snooping limited data from .onion requests

Hi NSA & others!

http://arstechnica.com/security/2016/07/malicious-computers-caught-snooping-on-tor-anonymized-dark-web-sites/

There's no evidence the malicious relays were able to identify the operators or visitors of the hidden sites or monitor the plain-text traffic passing between them. But the researchers from Northeastern can't rule out those possibilities, either. Both SQL and XSS exploits can reveal a wealth of sensitive information on servers containing administration or configuration errors or vulnerabilities that aren't publicly known. What's more, more than a quarter of the rogue directories also functioned as exit nodes, a status that allowed the malicious relays to view all unencrypted traffic.

The second part about spying on exit traffic is a separate issue unrelated to the current research, and if it was being detected on these servers they would have most likely already been removed from the network. That doesn't mean they aren't also sniffing exit clearnet traffic, but at least they (probably) aren't doing it in a detectable way.

From the Defcon 24 speakers' research, scroll to "Honey Onions: Exposing Snooping Tor HSDir Relays": https://www.defcon.org/html/defcon-24/dc-24-speakers.html

PDF of the paper: https://www.securityweek2016.tu-darmstadt.de/fileadmin/user_upload/Group_securityweek2016/pets2016/10_honions-sanatinia.pdf

VIA https://www.securityweek2016.tu-darmstadt.de/pets-2016/hotpets/


Comments


[20 Points] None:

[deleted]