[tor-bugs] #15951 [Tor]: FairPretender: Pretend as any hidden service in passive mode

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun May 10 00:21:09 UTC 2015 

#15951: FairPretender: Pretend as any hidden service in passive mode
------------------------+-----------------------------------------
     Reporter:  twim    |      Owner:  twim
         Type:  defect  |     Status:  new
     Priority:  major   |  Milestone:
    Component:  Tor     |    Version:
   Resolution:          |   Keywords:  tor, hs, descriptor, tor-hs
Actual Points:          |  Parent ID:
       Points:          |
------------------------+-----------------------------------------

Comment (by twim):

 Replying to [comment:5 yawning]:
 > I'm unconvinced:
 >  * At some point, the adversary will need to run their own HS to do
 anything actually harmful.
 Yes, sure. I look at this as the first stage of the attack when an
 attacker could  insensibly turn the majority of the original HS users to
 use evil an address (and descriptors). Using trawling the attacker can
 determine (approximately) the portion of users that are using this evil
 address. If it's more than e.g. 96% (too good for spoofing, just example)
 the attacker perform an "active MitM" by running the evil HS and do any
 evil thing because they are already the "legitimate HS".
 >  * An attacker can host their HS on a pwned box or something, and use 1
 hop circuits to the RP and the victim HS's RP to cut out most of the
 latency.
 I didn't think of this scenario before, thanks for the tip! Now it doesn't
 seems to be conspicuously slow.
 >  * Mitigation exists in the form of a self signed SSL cert if HS
 operators currently care about this.  The lack of a trust root is
 irrelevant, as long as the user doesn't compound "clicking on the bad"
 with "accepted a SSL cert with an incorrect DN", the adversary at that
 point has to mount a full MITM.
 I don't consider self-signed certificates here because it provides almost
 zero additional security for HSes. Anyone can create it and they should be
 stored in the browser in order to validate something (problem with Tails).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15951#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list