Cyber actors are now targeting Tor exit nodes to perform SSL stripping

[cryptomaniac_xxx]

Interesting findings here, specially if you are a Tor users, you may want to reconsider. I high-lighted some of the findings. And unless websites don't take measures, we are going to be vulnerable.

What is this attacker actually exploiting and how does it affect Tor users?

The full extend of their operations is unknown, but one motivation appears to be plain and simple: profit.

They perform person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays. They (selectively) remove HTTP-to-HTTPS redirects to gain full access to plain unencrypted HTTP traffic without causing TLS certificate warnings. It is hard to detect for Tor Browser users that do not specifically look for the “https://” in the URL bar. This is a well known attack called “ssl stripping” that exploits the fact that user rarely type in the full domain starting with “https://”.

There are established countermeasures, namely HSTS Preloading and HTTPS Everywhere, but in practice many website operators do not implement them and leave their users vulnerable to this kind of attack. This kind of attack is not specific to Tor Browser. Malicious relays are just used to gain access to user traffic. To make detection harder, the malicious entity did not attack all websites equally. It appears that they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address. Bitcoin address rewriting attacks are not new, but the scale of their operations is. It is not possible to determine if they engage in other types of attacks.

I’ve reached out to some of the known affected bitcoin sites, so they can mitigate this on a technical level using HSTS preloading. Someone else submitted HTTPS-Everywhere rules for the known affected domains (HTTP Everywhere is installed by default in Tor Browser). Unfortunately none of these sites had HSTS preloading enabled at the time. At least one affected bitcoin website deployed HSTS preloading after learning about these events.

https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac

[1714821874]

1714821874

[1714821874]

1714821874

[1714821874]

1714821874

[1714821874]

1714821874

[1714821874]

1714821874

[o_e_l_e_o]

HTTPS Everywhere is installed by default on Tor. If you aren't using Tor, HTTPS Everywhere is one of the few extensions that you should download.

However, simply installing it isn't enough. Its default behavior is to force HTTPS whenever it can, but still allow HTTP connections. You need to click on the little icon up in your menu bar (a white "S" in a blue square) or go in to your extension options and enable the option to "Encrypt All Sites Eligible". This will block all connections to HTTP sites and display a large warning page whenever a HTTP connection is made which allows the user to choose whether to proceed at their own risk. I'm just not entirely clear whether or not this will be sufficient to completely protect against such an attack.

Particularly concerning that this attack is primarily targeting bitcoin users.

[yazher]

This only means they are going for those who have a huge amount in their pocket. Obviously, If they don't know how to protect themselves from such attacks, they could become victims. Anyway, for the sake of the newbies, what they can do if they successfully execute such actions on someone? can someone enlighten us what would be the possible damage caused by this attack or TOR?

[btc_angela]

This only means they are going for those who have a huge amount in their pocket. Obviously, If they don't know how to protect themselves from such attacks, they could become victims. Anyway, for the sake of the newbies, what they can do if they successfully execute such actions on someone? can someone enlighten us what would be the possible damage caused by this attack or TOR?

This is how I understand it, (correct me if I'm wrong)

1. crypto users uses TOR to connect to a mixer
2. these criminals redirect you to a fake mixer thru SSL stripping
3. you deposit your bitcoin to the criminals bitcoin address
4. you are now a victim of this scam

[witcher_sense]

As users, what can we do to prevent SSL stripping attacks especially when using cryptocurrency related resources? As I understood, HTTPS Everywhere is a must, additional option that prevents connection to unsecured websites should be always enabled. All important websites you usually visit should be bookmarked. https:// should be added manually every time you type full link manually or click it on google.  Use VPN for better security, it encrypts all data even if website is non https://.

[o_e_l_e_o]

2. these criminals redirect you to a fake mixer thru SSL stripping

It doesn't necessarily have to be a fake mixer. With a MITM attack, an attacker could simply change the deposit address you see on the real site to their own address.

Use VPN for better security, it encrypts all data even if website is non https://.

A VPN does not help here. A VPN only encrypts data between your computer and the VPN server. If you are accessing a HTTP site, then the connection between the VPN and the site will still be unencrypted and therefore still vulnerable to attack.

[bob123]

I'm just not entirely clear whether or not this will be sufficient to completely protect against such an attack.

It is sufficient.
Well.. at least if the user is not dumb enough to turn off the extension and still visit the site via HTTP.

Use VPN for better security, it encrypts all data even if website is non https://.

That's one misunderstanding people always have.
You should always assume that a VPN does not increase the security.

There are rare occasions where it indeed protects you from specific attacks.
But these are the minority. People think a VPN makes your connection much more secure (probably due to the advertisements everywhere). But this simply is not true.

Using a VPN is "ok" if you trust the VPN provider more than your ISP, but never assume your connection to be private or more secure because of a VPN.
Your security shouldn't come from the VPN connection.

[Baofeng]

Interesting findings here, specially if you are a Tor users, you may want to reconsider. I high-lighted some of the findings. And unless websites don't take measures, we are going to be vulnerable.

Malicious node exist for years and Tor users have always been vulnerable. The difference is now the attacker uses SSL stripping attack, while usually they use different attack such as logging HTTP traffic.

Yes, like this one: Double dipping: Diverting ransomware Bitcoin payments via .onion domains.

And for those who are not familiar with MITM (Man In The Middle) attack, here is a good article.

[notblox1]

This is serious issue and if now quarter of all Tor nodes are malicious we can expect to see this number growing in future,
and I think solution for this is not so easy to find.
Can we see anything suspicious in our browser in case something like this happens, like certificate change etc ?

[cryptomaniac_xxx]

This is serious issue and if now quarter of all Tor nodes are malicious we can expect to see this number growing in future,

As per the blog post, it went as high as 23%, so yes it's almost a quarter. But it went down to 10% as of Aug 8, but still the numbers are high.

and I think solution for this is not so easy to find.

There is a solution on Tor's end,

https://lists.torproject.org/pipermail/tor-relays/2019-December/017961.html

Until the pandemic hits and employees are lay-off working on the said improvements.

Can we see anything suspicious in our browser in case something like this happens, like certificate change etc ?

Definitely, if they strip the SSL, then you will see a different certificate.


It is also interesting as to who or what bitcoin mixers have already somewhat mitigate it.

I’ve reached out to some of the known affected bitcoin sites, so they can mitigate this on a technical level using HSTS preloading. Someone else submitted HTTPS-Everywhere rules for the known affected domains (HTTP Everywhere is installed by default in Tor Browser). Unfortunately none of these sites had HSTS preloading enabled at the time. At least one affected bitcoin website deployed HSTS preloading after learning about these events.
Is th

[bob123]

Can we see anything suspicious in our browser in case something like this happens, like certificate change etc ?

Definitely, if they strip the SSL, then you will see a different certificate.

If you are a victim of SSL stripping, your connection will be non-secured, i.e. it will be http instead of https.
So it is quite easy to protect against that. If you see your connection is not encrypted while it should be or see a self-signed certificate, do not continue to communicate.

[SquirrelJulietGarden]

SSL vs. TLS but they are certificates and don't insure that no threats on SSL sites.