back to article This is node joke. Tor battles to fend off swarm of Bitcoin-stealing evil exit relays making up about 25% of outgoing capacity at its height

The Tor Project has confirmed someone, or some group, is in control of a large number of Bitcoin-snaffling exit nodes in its anonymizing network, and it's battling to boot them off. One observer reckons more than 23 per cent of the entire Tor network’s exit capacity was under the command of one miscreant, or one group of …

  1. Hubert Cumberdale Silver badge

    I continue to be surprised

    at just how many websites are still not using encryption. There really is no excuse these days. I've recently installed HTTPS Everywhere on FF, and I've disabled all HTTP traffic. I'll be interested to see if the internet is still broadly usable.

    1. Symon Silver badge
      Go

      Re: I continue to be surprised

      It'll be more usable, because it'll block the bit of the internets that you didn't want anyway.

      p.s. Privacy Badger, Ghostery, etc. etc.

    2. Hubert Cumberdale Silver badge

      Re: I continue to be surprised

      I'm confused by the downvotes. Is there an excuse for not using encryption on every website? Services such as Let's Encrypt make it free and fairly simple now. I'm genuinely interested in the downvoters' objections.

      1. Alister Silver badge

        Re: I continue to be surprised

        Is there an excuse for not using encryption on every website?

        I didn't downvote you, but there doesn't have to be an "excuse".

        If all you are serving is informational pages, with no requirement for user interaction or logins, then why not use HTTP, it's a perfectly valid protocol if used correctly.

        1. Lee D Silver badge

          Re: I continue to be surprised

          Because it's free to do, one-click install in many places, and stops people's sessions being sniffed (i.e. what sites they were looking at, what pages they read) and prevents man-in-the-middle injection attacks where people can slip in Javascript or - like some ISPs have done - adverts into a page that doesn't have them, and you'll never know because there's no indication of if the page was as it was sent from the server.

          1. Jim Mitchell

            Re: I continue to be surprised

            HTTPS doesn't stop your ISP, TOR exit node, etc, from seeing what sites you go to. This is mentioned in the article.

            1. Anonymous Coward
              Anonymous Coward

              Re: I continue to be surprised

              HTTPS (TLS1.3), ESNI and secure DNS / DNSSEC will.

              Specifically ESNI will stop your ISP / TOR exit node from knowing the sites you connect to. Why do you think the great firewall blocks all connections that attempt to use it, as they don't know where they are connecting.

            2. Lee D Silver badge

              Re: I continue to be surprised

              Yes it does, with modern browser technologies.

              That's why China have blocked modern browser technologies.

              Even then, you would only ever have got the SNI field out of the SSL session, so you'd know what domain they were going to, but that's it. Not what file, page, download, etc. Just the domain.

              I'm sure "amazoncdn.com" (or whatever it is) is really useful when you're trying to pin evidence of something nefarious on someone.

              But even that avenue is closed to them nowadays.

            3. doublelayer Silver badge

              Re: I continue to be surprised

              "HTTPS doesn't stop your ISP, TOR exit node, etc, from seeing what sites you go to. This is mentioned in the article."

              The article mentions that connections are often made to cleartext HTTP pages first before being redirected, which gives an attacker an opening, but that's just the first page. It gives some detail about the domain, but that's it. For example, I'm not even using modern security but my ISP doesn't know what pages I visited during my session here. They would know that I'm active and reading The Register, but not which articles I read. I don't really care if they do know that, but I might care about similar information leaked from a different site. For this reason, HTTPS is useful even when you aren't sending information. In addition, more advanced security measures can keep my ISP from knowing some of the information they could get before, (although since this site uses its own IP addresses, I couldn't hide everything without VPNing through my ISP).

          2. Hubert Cumberdale Silver badge

            Re: I continue to be surprised

            ^ what Lee D said.

        2. Hubert Cumberdale Silver badge

          Re: I continue to be surprised

          Depends on the nature of the "information" being provided by these websites, effectively on a postcard. As noted by another reply, aggregation of small bits of sniffed information can tell you an awful lot about a person. Would you be happy to send me every bit of information you had looked up on the web in plain text? I bet it would tell me some interesting things. Oh, it looks like you've been reading about a strange rash on your [redacted], searching for your local [redacted] clinic, and you want to know whether it's illegal to [redacted] while [redacted] in a [redacted]. I hope your question is purely hypothetical, because it could be used to blackmail you...

        3. KalF
          Unhappy

          Re: I continue to be surprised

          Plain HTTP can be manipulated to inject exploits. This is why you always need HTTPS regardless of the content on your site. A lot of shopping cart attacks start this way, using unencrypted parts of a site to compromise subsequent encrypted activities.

          As others have said, its 2020, certs are free, the software is simple. There's no good excuses anymore for using plain text http, although the bad ones remain.

      2. martynhare

        Re: I continue to be surprised

        Yes there is a good reason. But unfortunately the solution does not yet exist to provide the benefits of a safe but not encrypted website.

        Basically, encrypting everything means ISPs cannot transparently proxy in a safe way. This by extension means ISPs can’t cache the most commonly accessed mostly-static data, wasting tons of bandwidth compared to the 90s and early 00s. There needs to be a concept of digitally signed webpage elements tied together by a digitally signed webpage for data which doesn’t need confidentiality and often remains the same - like, say Wikipedia (when not logged in), public Instagram photos or YouTube videos.

        This way, we can get all the benefits of cryptography without tampering and with all the caching performance gains for popular content. This would make the Internet faster and better for people in the west, while people in repressive regimes can still access said pages safely over Tor.

    3. Throatwarbler Mangrove Silver badge

      Re: I continue to be surprised

      1) Not everyone is aware of https or is skilled at managing it. I am in the midst of a conversation with a charity that I volunteer for wherein I am trying to get them to convert their login page to https, but the site provider is unable, for whatever reason, to forward the http connection (the site connects via https just fine, but if you connect via http, the connection stays insecure). It seems like a very straightforward process to me, but the situation has not changed for over a month. The stopgap I'm getting the charity to employ is to update their documents and newsletters to at least use https links instead of http.

      2) Certificate management and upkeep is a tremendous ball-ache. I don't care how simple you think it is. If I didn't already know what the process entails, this page would be complete fucking gobbledegook. While a Web developer setting up a site should arguably understand this process, a great many do not, including developers coding for highly business critical Web applications (go on, ask me how I know).

      While I would not want to justify failing to use https, it's one more damn thing to do (and maintain--you have to ensure that you keep up your certs, which are apparently now being set to expire 30 days before they were issued in the name of security [yes, that's sarcasm, do keep up]), and it's effort which, in many cases, doesn't have an obvious positive yield for the site maintainer. Now, conversely, if I were running a Bitcoin exchange, I would definitely want https to be the default setting, if for no other reason than wanting to ensure that the Dunning-Krugerrands wind up in my pocket and not someone else's when I decide to fake my death and abscond to a foreign country with the proceeds of my clients' ill-placed trust. If I were the client of such an exchange, I would definitely pay close attention to whether https is being used as well, but I'm not sure what the interface for such a thing looks like, so maybe it's not obvious.

      1. Hubert Cumberdale Silver badge

        Re: I continue to be surprised

        I have a pretty cheap hosting provider, and they still handle all the Let's Encrypt "gobbledegook" for me with a single click, and my certificates are automatically renewed. These days, you shouldn't need to know about any of that as a web designer/maintainer any more than you need to actually understand HTML (though of course it helps...). The hosting provider is at fault in the scenario you describe. As for the extended validation etc. certificates, which of course do require much more faffing (and cost), do you know of any normal person who actually cares what kind of certificate a site is using as long as it has "the little padlock thingy"? I view EV as just another way for CAs to get money for old rope.

        1. Jamie Jones Silver badge

          Re: I continue to be surprised

          You're right, and for those reasons, EV certificates are dead. https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/

      2. doublelayer Silver badge

        Re: I continue to be surprised

        "Now, conversely, if I were running a Bitcoin exchange, I would definitely want https to be the default setting, if for no other reason than wanting to ensure that the Dunning-Krugerrands wind up in my pocket and not someone else's when I decide to fake my death and abscond to a foreign country with the proceeds of my clients' ill-placed trust."

        The problem there is that the attacker probably does use HTTPS to connect to the exchange, just with them impersonating the client. It's probably not easy to determine that it's not the user on the other end, and almost certainly such a coordinated group has different nodes making the connections so they can't be identified as exit nodes and blocked that way.

        "If I were the client of such an exchange, I would definitely pay close attention to whether https is being used as well, but I'm not sure what the interface for such a thing looks like, so maybe it's not obvious."

        The exit node can't easily provide a forged certificate because the client's machine will still verify it, so they're probably seeing the insecure site icon like on any other HTTP-only site. Either that or they get redirected to a secure site that is controlled by the attacker and therefore doesn't use the same domain name. It would really help the clients to make sure that is not there whenever they're accessing something sensitive, but maybe it would be better for there to be a setting to enforce that. That doesn't seem out of character for the Tor browser to warn or even block HTTP-only on the clear web and 301s pointing to different domains.

    4. Potemkine! Silver badge

      Re: I continue to be surprised

      If a website doesn't require to login, if it displays information only and doesn't require interaction with the user other than browsing, if you live in a country where you are allowed to read this information, what would be the need to use HTTPS?

      Using HTTPS has a downside: now that certificates can't last more than one year, it is easy for an administrator to miss the deadline and break everything.

      1. Charles 9 Silver badge

        Re: I continue to be surprised

        Two words: Chinese Cannon. Here are two more: Verizon Supercookie. Neither of them care about the content itself, just that it's unencrypted so they can piggyback on it and inject their malware on-the-fly.

        So basically, the world now has a choice: secure or malware, no third alternative.

  2. Claptrap314 Silver badge

    Too stupid to care?

    I'm seriously having a problem understanding that this is real. In order for this attack to succeed, we need someone who

    1) Uses bitcoin.

    2) Uses Tor.

    3) Uses a bitcoin mixer service.

    4) Does NOT use https to access the bitcoin mixer service via Tor.

    Isn't that like just one guy? What am I missing?

    Also, if you're already using Tor, why on earth would you suddenly care about speed over blind trust in the exit node for that final hop?

    1. Wellyboot Silver badge

      Re: Too stupid to care?

      Yes, strikes me as a exploiting the skiddies who think TOR sound cool and don't implement any actual transport security beyond default.

      TOR isn't about 'secure routing' it's 'anonymous routing'. Pick your protocols with care.

    2. Anonymous Coward
      Anonymous Coward

      Re: Too stupid to care?

      4) Does NOT use https to access the bitcoin mixer service via Tor.

      No, it relies on someone typing mybitcoinesite.com into the browser and it usually 'upgrades' the connection to https. Therefore they think they are always using https. However on this exit node the upgrade doesn't happen and the connection remains insecure.

      Most people don't specify the protocol when they type an address any more.

      1. Jon 37
        FAIL

        Re: Too stupid to care?

        This is the exact attack that HSTS was designed to prevent. (OK, not the "using Tor" part, but the rest of it). Any sites using HSTS are immune. Any sites handling money that are not using HSTS are clueless, and I'd argue are criminally negligent.

        1. doublelayer Silver badge

          Re: Too stupid to care?

          Sadly, it's not exactly that. A server implementing HSTS has to say this and not allow normal HTTP access. However, a site can implement HSTS and still allow HTTP connections which get redirected, and a lot of them do to avoid looking broken to people who aren't familiar with it. Take my site for example. If you request any page over HTTP, the server sends a 301 saying it's been moved to the HTTPS site. So you can't retrieve something over HTTP from my server directly. However, an attacker who is replacing your traffic could intercept that HTTP request, not give it to you, fetch the real page from me using HTTPS, and present it back to you as if my server hadn't attempted to do the redirect. There are some pretty good solutions to this, but each comes with a downside:

          1. I could block HTTP requests rather than redirecting them. This forces all connections to be secure and makes it harder to pull the redirect on someone. It means that people who type my domain name and whose browsers attempt HTTP will think my site is down though.

          2. The user could check the address bar for the secure site icon and the domain name they're trying to access. This would take them all of three seconds.

          3. The user could type the HTTPS. This would take them all of two seconds.

          4. The user could install a plugin that does 3 for them. It might break and they'd have to remember what they did so they could click the button to allow the two exceptions.

          5. The browser makers could modify their default policy for when a user enters just a domain name and try to send an HTTPS request first. If and only if it fails send an HTTP one.

    3. vtcodger Silver badge

      Re: Too stupid to care?

      Isn't that like just one guy? What am I missing?

      I suspect that trafficing in cryptocurrency, using Tor, and use of mixers to further anonymize transactions are probably highly correlated. For example, paying for the 4 metric tons of crystal meth you want delivered to your driveway next Friday without leaving an auditable transaction trail is probably a bit tricky. So no, it's probably more than one guy.

      Assuming that the evil exit nodes are borrowed from legitimate owners who have been a bit injudicious in clicking on emails or some such, there's probably little capital required in order to set up a bunch of corrupted exit nodes once your figure our how to do it. And the payout for a successful theft is probably pretty good. The risk wouldn't seem to be not so much being thrown off Tor as the cryptocurrency's real owners tracking you down and removing body parts until you return their cash.

      1. Anonymous Coward
        Anonymous Coward

        Re: Too stupid to care?

        "The risk wouldn't seem to be not so much being thrown off Tor as the cryptocurrency's real owners tracking you down and removing body parts until you return their cash."

        And the risk the real owners face is that the people behind this scheme are either better-resourced then them (meaning such an attempt would result in a gang war they'd probably lose)...or government-backed, meaning trying to track the "thieves" could result in a back-hack that gets them tracked down and busted.

      2. Claptrap314 Silver badge

        Re: Too stupid to care?

        I'm pretty certain you've missed what I'm saying. Given that someone has taken all of the other steps in an attempt to achieve privacy--how do they justify NOT using https for the final step?

        Certainly, TOR + Bitcoin + mixers is high overlap. TOR + Bitcoin + mixers + HTTP, though, ??????

  3. Anonymous Coward
    Anonymous Coward

    Smaller fleas to bite 'em

    Well, I can't find anybody with a lightly-colored hat that has anything good to say about Bitcoin mixers, so this is probably one variety of crims being relieved of their boodle by another, which, I'd hazard to guess, given their persistence, is of the just-south-of-China variety. That said, breaking T O R is B A D.

    1. Wellyboot Silver badge

      Re: Smaller fleas to bite 'em

      It's not breaking TOR, just exploiting a fairly small (as per Claptrap ^) set of user activities running over it.

    2. Throatwarbler Mangrove Silver badge
      Paris Hilton

      Re: Smaller fleas to bite 'em

      What, you don't have any sympathy for the ransomware crooks getting their Bitcoins stolen during the laundering, ahem, anonymization process?

    3. Orv

      Re: Smaller fleas to bite 'em

      If Joe Hacker is doing it, you can bet the DEA is doing it too, and keeping tabs on these transactions.

    4. Claptrap314 Silver badge

      Re: Smaller fleas to bite 'em

      So--you think cash is bad, too?

      The original ideas for digital currency on cypherpunks had privacy has a primary concern. Bitcoin does not deliver privacy. The mixers do.

      1. Charles 9 Silver badge

        Re: Smaller fleas to bite 'em

        Privacy? I thought the chief concern was government control.

        1. Claptrap314 Silver badge

          Re: Smaller fleas to bite 'em

          I said "a primary concern", not "the only concern". Yes, the depoliticization of money was also a primary concern.

  4. DrXym Silver badge

    If you're using Tor...

    You should really be using Tor Browser. It DOES have HTTPS Everywhere and NoScript enabled plus other protections enabled in the browser. I'm sure it doesn't prevent some malicious activity by exit nodes but it sounds like it will block what is going on above.

  5. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    Interesting

    interesting that exit node trickery have gone from governments spying, to hackers hacking hackers.

    Kind of expected, but very entertaining none the less.

    I hope the ransomware punks get ripped off big time.

  7. DaGriff
    Big Brother

    Passwords Everywhere

    The problem with HTTPS Everywhere is the permissions you implicitly grant. "The extension can read the content of any web page you visit as well as data you enter into those web pages, such as USERNAMES and PASSWORDS. "

    I wonder if they keep logs.....and how are they secured?

    1. doublelayer Silver badge

      Re: Passwords Everywhere

      That's weird. I'd have thought that you wouldn't need very much code to implement it. I would think that the following offline code should do it:

      on event UserRequestsPage(string url) {

      if "http:" in url {

      UserReallyRequested(url.replace("http:","https:"))

      }

      }

      It should only need access to the address bar, not the page itself. Maybe it's browser permissions looking weird. If it's doing more than that, maybe it's time for us to write a replacement.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020