NEWS FROM THE LAB - Tuesday, November 20, 2007

Testing TOR Nodes for Man-in-the-Middle Attacks Posted by Toni @ 16:03 GMT

People tend to think of the TOR network as a silver bullet, which is not the case. Even on TOR's distribution site it's clearly stated that TOR will not guarantee complete privacy.
TOR Icon
What's TOR? If you don't know, TOR is a network of proxies designed to give some privacy and anonymity to its users.

From Wikipedia:

   Tor (The Onion Router) is a free software implementation of second-generation
   onion routing — a system enabling its users to communicate anonymously
   on the Internet. Originally sponsored by the US Naval Research Laboratory, Tor
   became an Electronic Frontier Foundation (EFF) project in late 2004. …

   Like all current low latency anonymity networks, Tor is vulnerable to traffic
   analysis from observers who can watch both ends of a user's connection.

TOR is indeed vulnerable. And recently there have been reports of rogue nodes.

So here's the question. What other suspicious stuff is occurring on TOR? Let's take a look.

Here's a node that only accepts HTTP traffic for Google and MySpace; it resides under Verizon:

AS | IP | AS Name — 19262 | | VZGNI-TRANSIT - Verizon Internet Services Inc.

While curious and perhaps even suspicious, it isn't necessarily malicious. It could just be a Samaritan particularly concerned with anonymous searches and MySpace profiles for some reason. But there's no way to tell, so why use such a node if you don't have to?

But how about this one?

Now here's a node that was monitoring SSL traffic and was engaging in Man-in-the-Middle (MITM) attacks. Definitely bad.

AS | IP | CC | AS Name — 3320 | | DE | DTAG Deutsche Telekom AG

Here's how the testing was done:

   A test machine with a Web server and a real SSL certificate was configured.
   A script was used to run through the current exit nodes in the directory cache.
   Connections were made to the test machine.
   A comparison of the certificates was made.

And the exit node at provided a fake SSL certificate!

Now note, this was only one of about 400 plus nodes tested. But it only takes one.

Once the node faked the SSL of the test server, a well-known "payments and money transfer" site was tested, and it faked those SSL certificates as well.

Information was forwarded to the German authorities and the node is no longer available. It appears that prompt action was taken against it.

More details on the investigative process can be found here and here.

Any technology can be used in the wrong way, a fact that will never change. Be careful out there.