undefined | Better HN

0 pointsedoo6y ago0 comments

You have to be a little weary using tor. Anyone can run an exit node and it is trivial to rewrite and inject onto web pages. You can also on the fly intercept SSL requests and generate your own self signed certificate that fails proper verification but looks real enough if inspected that will always trick a percentage of users. If you've used tor with any frequency you've probably hit weird SSL cert errors that go away if you change routes.

0 comments

friendly_chap6y ago

To be fair I mostly use it for not overly sensitive stuff. Let me give you an idea: I prefer to not have my ISP log my requests to reddit.com/r/LSD.

Not because I do anything illegal (I don't even take acid), but in this dystopian world where every action on the internet is recorded, the last thing I want is to end up on lists purely because of my curiosity.

If I would do anything I could get into trouble for (which I won't), I would definitely research more about how to use Tor safely.

ikornaselur6y ago

Please correct me if I'm wrong, but can't your ISP only see that you're requesting reddit.com, as long as you're using https? Now sure, if you go to lsd.reddit.com, it can be logged as a subdomain, but anything beyond reddit.com shouldn't be viewable by your ISP.

I'm not saying that you shouldn't use tor, just that as far as I understand, the whole request, including path and method, is encrypted over tls/ssl after your browser establishes a tcp connection to the server.

friendly_chap6y ago

I do believe the url path is visible even over HTTPS. Off to do some research on this.

Edit: apparently the url is not visible, but the domain (more like IP, which can be easily resolved to domain).

Same thing still applies, perhaps not with reddit subreddits, but with specific domains/websites.

1 more reply

Grangar6y ago

Your ISP won't log the request going to /r/LSD. It's over SSL, so the only thing your ISP sees is a request to reddit.com.

friendly_chap6y ago

You are correct. Domains can be still sensitive though.

cyphar6y ago

It is fair to say that using unauthenticated protocols like HTTP over Tor is a pretty bad idea (and there really should be more warning bells about this in the Tor Browser). However on the TLS comment -- almost all modern websites use HSTS, so sslstrip doesn't really work any more.

edooOP6y ago

I mean you can intercept the request, retrieve the real cert, generate a self signed cert with the exact same details, then submit that to the user and be man in the middle. Of course the user gets the blank SSL cert error page on the browser, but a percentage of those users will override and continue. Copying the cert details increases that percentage as some will actually look at the invalid cert. It is quite blatant but it is just a numbers game at that point. If you ever hit an SSL cert error with TOR you should force a new onion path.

cyphar6y ago

Yes, you could do that but then your node would be kicked off the Tor network (because you'd need to do it indiscriminately since you don't know who the user is you're trying to target). In addition, relays are load-balanced based on trustworthiness and bandwidth so in order to attack a significant portion of users you'd need to be running a large and trusted node (which would be hard to do if you're just doing this to attack people).

1 more reply

throwaway66hack6y ago

How about sslstrip2 ([1], check demo)? A weakness of HSTS is that is stored per domain and the exit node can also control your DNS traffic. I wonder how hard it is to pull this off as a Tor exit node, for local networks there are tools like bettercap [2].

[1] https://github.com/byt3bl33d3r/sslstrip2

[2] https://www.bettercap.org/legacy/

cyphar6y ago

That is a pretty neat attack, but I disagree it would be useful against Tor.

DNS traffic is funneled through a different Tor circuit than the web traffic. You'd need to apply the bad DNS to all users, which would almost certainly in your exit node being dropped from the network.

I'm also not sure how this would be handled with HSTS preload lists -- HSTS preload applies to all subdomains so you'd need to come up with a completely different domain (and protections against homograph attacks mean that avenue is restricted). It'd probably be simpler to just set up an actual website with LetsEncrypt than to bother with stripping the TLS in this manner.

1 more reply

j / k navigate · click thread line to collapse

0 comments

friendly_chap6y ago

To be fair I mostly use it for not overly sensitive stuff. Let me give you an idea: I prefer to not have my ISP log my requests to reddit.com/r/LSD.

If I would do anything I could get into trouble for (which I won't), I would definitely research more about how to use Tor safely.

ikornaselur6y ago

friendly_chap6y ago

I do believe the url path is visible even over HTTPS. Off to do some research on this.

Edit: apparently the url is not visible, but the domain (more like IP, which can be easily resolved to domain).

Same thing still applies, perhaps not with reddit subreddits, but with specific domains/websites.

1 more reply

Grangar6y ago

Your ISP won't log the request going to /r/LSD. It's over SSL, so the only thing your ISP sees is a request to reddit.com.

friendly_chap6y ago

You are correct. Domains can be still sensitive though.

cyphar6y ago

edooOP6y ago

cyphar6y ago

1 more reply

throwaway66hack6y ago

[1] https://github.com/byt3bl33d3r/sslstrip2

[2] https://www.bettercap.org/legacy/

cyphar6y ago

That is a pretty neat attack, but I disagree it would be useful against Tor.

1 more reply

j / k navigate · click thread line to collapse