Sniffing/MITM attacks on the Tor network
After just posting about a command line solution to using Tor I thought it’d be a good idea to quickly mention a few security concerns about the network.
Tor is designed to make your traffic somewhat anonymous, and does not make you more secure by using it. If you use tor with encrypted protocols and avoid fake SSL certificates then you should be fine. However, if you use a plain text protocol such as HTTP, you are pretty much inviting a hostile exit node to examine your traffic.
Here’s an example of what I mean
chuck@chuck-laptop:~$ sudo ngrep -q 'GET /search' -d wlan0 interface: wlan0 (10.0.0.0/255.255.255.0) match: GET /search T (internal IP):55225 -> 74.125.53.99:80 [AP] GET /search?hl=en&source=hp&q=See+what+I+mean%3F+This+is+the+text+I+inputed +in+google&aq=f&aqi=&oq=&fp=ee36edbd3c16a1c5 ....
If you look in there you can see the text I inputed in Google’s search box. This attack can be carried out with ease by even an amateur, and can be much more sophisticated. Here’s another example, this time sniffing for the string ‘password’ anywhere in transmitted text
chuck@chuck-laptop:~$ sudo ngrep -q '.*password.*' -d wlan0 interface: wlan0 (10.0.0.0/255.255.255.0) match: .*password.* T (internal IP):56025 -> 74.125.53.103:80 [AP] GET /url?sa=T&source=web&ct=res&cd=1&url=http%3A%2F%2Fen.wikipedia.org%2Fwi ki%2FPassword&ei=BI2tSpzzDIb2sQPQqNyYBQ ...
Yes, I know I did not actually get real results for a password, but I wasn’t really trying. I did determine that a user on my local network was searching for the password article on Wikipedia though.
And I am sure if I ran this little command line setup on an actual running Tor exit node that I would quickly gather a scary number of username and password combinations, for everything from email to social networking websites. I could even search for just plain email addresses if I felt like it, and throw them all in a database for spamming later.
My point is that if you do not encrypt your traffic while using Tor you are just inviting all sorts of abuse. Sure, it’s hard to track a smart Tor user down, but if you have their email creditentials it honestly wouldnt be that hard.
so, its not wise to run a Tor relay then?i started running one to help those in censored countries to reach the Tor but i dont wanto to be hurt in the process.thanks!
Tor exit nodes are prone to receiving DMCA notices as well as attracting the attention of various agencies.
Basically, only run a node if you’re sure you can handle a possible legal issue. You can just turn the node into a non-exit node and be safe, since they just act as a stepping stone.