[metrics-team] Report on protecting Tor from Sybil attacks
Philipp Winter
phw at nymity.ch
Mon Apr 11 17:51:41 UTC 2016
On Sat, Apr 02, 2016 at 11:37:25AM -0700, David Fifield wrote:
> Section 3 says there are eight dirauths, but there are nine now. At
> least, that's what I get from reading src/or/config.c (excluding Tonga,
> a bridge authority). #13296 also mentions keeping the count odd.
Yes, you are right -- and the third person who has found this mistake :)
I'll update the arXiv version soon.
> The "rewrite" Sybils--the same exits were rewriting *both* onion
> addresses and bitcoin addresses? I.e., is the attack:
> * Find onion service that has bitcoin addresses on it.
> * Mirror onion service and rewrite its bitcoin addresses.
> * Rewrite plaintext HTTP exit traffic to change links to the onion
> service to point to your mirror.
Yes, that's what we have seen.
Juha has been having a closer look on the mirrored onion services:
<https://lists.torproject.org/pipermail/tor-talk/2015-June/038295.html>
<https://lists.torproject.org/pipermail/tor-talk/2016-January/040038.html>
> It seems like another straightforward attack is just to rewrite bitcoin
> addresses in plaintext HTTP pages. Did that happen too? Maybe there's
> enough bitcoin activity on onion sites to justify rewriting onion links.
We have seen that too. Perhaps these exit relays were running both
attacks at the same time, but as the attack became increasingly
sophisticated, we couldn't identify all that was going on. In
particular, we have seen exit relays that rewrote Bitcoin addresses on
pastebin.com, which still does not support HTTPS.
Cheers,
Philipp
More information about the metrics-team
mailing list