Don't Get Your Bitcoin Stolen: Security Reminder for Tor Users (and why Blockchain is down atm)

A number of people in /r/bitcoin have found that their blockchain.info accounts have been hacked into and funds withdrawn, even though they had 20+ character random passwords.

The way this is happening is rogue Tor exit nodes are running an SSL stripping attack against users of blockchain.info.

The way it works is it would proxy your request to blockchain but redirect it to a non-HTTPS version of the site, hoping the user doesn't notice as it intercepts all requests.

It is critical that when you visit blockchain you do so over HTTPS (rather than let the site redirect you) and then check the certificate.

Don't rely on the browser to tell you it is secure, double click on the certificate and check it. Some attacks will attempt to mimic the encryption icon in the browser by using favicons.

A better further step: manually verify the fingerprint of the certificate. It would be excellent if Tor and DNM users knew how to do this and started getting into the habit of doing it all the time.

All you do is double-click on the encryption icon for the site in a browser. Click on 'connection information', 'certificate information' or whatever it is in your browser to get more details, then expand it until it dumps all the info for that cert.

You're looking for the signature, note this down from a trusted machine. It is usually 255 bytes long. Print it out on a spreadsheet for every important site you visit.

You don't need to check every number or character in the fingerprint, just scan the first few blocks (Tor onion addresses are secured with only the first 80!).

A tech note: md5 signatures are old and broken so you don't want those, and sha1 now is also being phased out. You want the sha256 signature. If it doesn't specify what type of hash it is, chances are it is sha256. md5 and sha1 are usually also included at the very end of a certificate for backwards compatability purposes, but they'll be gone soon.

Here is the blockchain.info signature I just got (but again, don't trust me!)

0E E3 CC 5F E1 73 C3 2F F5 2D 08 EC EA 1A 86 79 7D 07 7E C9 FC C3 46 9A C6 54 CC 6C FB 97 1F AE
7C 02 3F 7C 54 22 03 D6 4E 27 90 C1 30 5D 3C 5E 0E 03 C1 AF 66 AF BE 72 56 EE 63 56 D3 76 B1 2E 
FF 3E 86 43 B3 3A 65 A2 4F D2 DB 76 A3 82 E2 A9 28 F2 68 0E 83 26 01 85 7B 9A F0 64 D0 3D F5 EF 
D5 DE 8A 71 4D 3A C6 15 DA D0 27 92 A3 37 BB D2 BF 5E 57 60 09 0F E5 B1 10 89 48 0A 77 BC DB 
95 4C 06 46 

Edit: The reason blockchain is down is because they are being proactive about not allowing Tor users to log into the site incase of an MITM exit-node based attack. It sucks and they shouldn't have to do it, but it is just the way it is now. If you all take steps to keep yourselves secure it wouldn't be necessary to disable access to everyone to protect a few.

Note: I know the accepted wisdom here is that HTTPS is not required (edit for hidden sites) because Tor encrypts information, but that is the difference between confidentiality and integrity. Tor provides confidentiality, while TLS/HTTPS provides integrity (data hasn't been altered) while certificate signatures provide authentication (you know it is the real site). This is why Darknetmarkets should have, from the very beginning, have supported HTTPS and got users into a habit of checking certificate fingerprints. This protocol is designed for this task, PGP signed messages are not.


Comments


[2 Points] memorelapse:

Also....don't use Agora.


[2 Points] sapiophile:

Mah homie. Thank you for this post.

I do want to clear up a minor thing, though:

Note: I know the accepted wisdom here is that HTTPS is not required because Tor encrypts information, but that is the difference between confidentiality and integrity.

Actually, Tor never has and cannot encrypt your connection from your computer to a clearnet site. HTTPS only works if the site you're visiting supports it, period. And even if a site does support it, it can be stripped as in this attack.

Please check out the graphics on this page - everyone: https://www.torproject.org/about/overview

This stuff is absolutely critical Tor 101 stuff; learn it well.

An actual, valid HTTPS/TLS connection to a clearnet site will indeed be encrypted, just like it is if you weren't using Tor. Otherwise, the exit node can see (and alter!) any and all traffic flowing through it to non-HTTPS clearnet sites.

Tor provides confidentiality

Nope. The only thing Tor provides is anonymity (to an extent). It adds no additional confidentiality measures to any traffic it transmits on the clearnet.

For .onion hidden services, however, Tor does indeed provide secure, end-to-end encryption and authentication of all traffic sent and received, and exit nodes are not used.

TLS/HTTPS provides integrity (data hasn't been altered)

Sort of. That's one small part of what most end-to-end secure protocols provide, and TLS does provide this, as does Tor when using .onion sites. But TLS/HTTPS does also provide confidentiality and authentication, when used properly.

This is why Darknetmarkets should have, from the very beginning, have supported HTTPS

HTTPS on .onion or .i2p sites is completely redundant. The connection is already encrypted end-to-end and fully authenticated. The fingerprint of the site's certificate is the site's URL (or, in the case of I2P, its b32 address - not its .i2p susidns name).

It wouldn't hurt for .onion sites to implement HTTPS/TLS on top of the existing encryption, but it would add to server resource-usage, be an additional expense, and potentially a serious OPSEC risk for the operator, who would have to obtain a valid CA-signed certificate from one of the established Certificate Authorities online.

It's just not necessary.

and got users into a habit of checking certificate fingerprints.

Check that the .onion URL is correct - done. Note that this may be trickier than you think - can a link on this subreddit be 100% assured to be legitimate? WHO KNOWS!?

This protocol [HTTPS] is designed for this task, PGP signed messages are not.

I'm not sure I understand what you mean, but I think I want to clear some things up.

OpenPGP systems are very, very serious about Key Trust, which is what we're talking about, here. It's just a different system than the centralized HTTPS model that uses Certificate Authorities. Check out that link for more info. OpenPGP software was taking effective countermeasures against this type of MITM attack before HTTPS was even conceived of.

However, verifying/authenticating OpenPGP keys used on the darknets is a completely separate issue from authenticating/verifying HTTPS certificates, except inasmuch as someone like me posting a signed statement that may help authenticate a particular certificate, like this one:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

*.blockchain.info HTTPS certificate fingerprints

SHA1: 0C:98:9B:DF:B5:86:F3:1B:D4:F0:39:59:79:6D:E7:97:2A:A3:22:F7
MD5: B2:48:A2:39:1B:A3:E3:3D:9E:4A:D7:B9:EC:BA:0B:32
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUeBt9AAoJEJdH3pe6/Nu5WmAP/2yiat2Z7VwMj4mfAFn4uCP0
26arv3xgY04vpIr+bHwZov0Mgbvs5CKt5JC8JDIcjQ4aIeutVe5LoGXI/rCUbWU/
FThy+lBBac6AECP7Yhal2LJTI7reABAQJxKG/4gb+gqcTv+YB3U+cDrMilBz237Z
0UB41vxNusPHXJv+63FW571XzPvdreY1O0hwUZitEkWfEYsEK0uYfIrx2QVbzXpm
O6B6v/DTjtexreZaDee6yFSD/ircsHaf8Mz8EGv21cSw7aNAgiv6Nt5hPGjFkBIN
Qzsw2vPO7uusgq5BTHSBpamJO2vpbdydBquZcZ0QMuIVNcrSM3HaLUOFHzY6JG1i
rMLh0xUKtS5z5SfDxgSLheYTQ3KyZsu+J77xhybpp8F0aYEFf/LE5BLChuViAUUC
s6hTS6UYq4Yi9JAp8BlNOCwsfNMBK04Pg+Xf15maW/EKQbh7YcIfLCYW7D7IfvYw
E9FIBVFqIocqJxtwuJoIdSbXzqNz10TioJQpwG54u3sWsGtBsr7OitQ3RplRoRHd
/uypL9bikQppl6lNg/casXZp9sg7P99eAq5mY13JboTq0AdCMryKs+5/RI5LOxx3
vGvsxZuoHPgCQR/WX+b2bhar6yvqnNmG0NtIJDgqcKVwedFyQ92Bt9VZFseXE16Z
+3R/zcHmj3/iYYil8t8V
=w/bv
-----END PGP SIGNATURE-----

To verify that statement, my GPG key with fingerprint 69E7 EB65 1CB6 19DE 9153 3A2B D16B 4CC5 857D 0298 is available at https://ssl.reddit.com/r/publickeyexchange/comments/2cmfob/sapiophiles_public_key/ , https://keybase.io/sapiophile , and on the SKS Keyserver network.

Note that verifying OpenPGP keys used on darknets is a very big deal, which is why I made this very important post a couple weeks ago: https://ssl.reddit.com/r/DarkNetMarkets/comments/2loixp/how_le_might_read_our_pgp_messages_and_how_we_can/

If there's anything I might do to clarify this stuff more for anyone, I'm glad to help.


[2 Points] Winklepickers:

Can someone explain how these attacks are occurring in more layman's terms?

I recently transferred BTC from coinbase to agora, I checked blockchain by entering my Hash code. I understand agora is having difficulties with deposits, but I'm just trying to be more cautious and see if I'm in danger of losing my BTC in this fashion.


[1 Points] goldpimp:

is it safe to transfer from coinbase to evo, small amount so no worry about tumble.


[1 Points] Gabralkhan:

I could not support that more...I lost bitcoins a few weeks ago with that...

It is not very clear how technically it is done but it involves TOR Exit Nodes and Online Wallets like BlockChain.info or Coinbase.

I can tell you that you see nothing on the SSL certificate at all if you don't manually check it...

Well on my side the lesson i learned is no Online Wallets, especially with TOR....expensive lesson...


[1 Points] polvb:

How does this affect me if I was planning to send btc from coinbase to a tumbler, to a DNM website?


[-1 Points] deftware:

meanwhile the government is trying to prevent illicit use of bitcoins by requiring all entities which provide BTC in exchange for fiat currency to know the identity of their customers.

this is analogous to making firearms illegal for law abiding citizens to have, in the hopes of curbing criminals having firearms...

LOL