[tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
Matt Corallo
tor-lists at mattcorallo.com
Thu Aug 13 21:49:06 UTC 2020
This may be true, but I think you underestimate how few sites are on the HSTS preload list or are enforced by SSL
Everywhere.
Ultimately, unless the first site you load in a browsing session is HTTPS or unless you end up at an HSTS
preload-enforced site, sslstrip can just keep taking the "s" part out of the link you're about to click. And, as we've
seen here, even sites that redirect HTTP to HTTPS and various other best practices can fall victim.
To the average user, there is little feedback that the site they're on is properly secured using HSTS preload, and many
sites forget to enroll themselves in the preload list.
For reference, the first two "probably kinda try to be secure for their users" sites I tried were not on the list:
wellsfargo.com and bankofamerica.com.
Matt
On 8/13/20 5:19 AM, Michael Gerstacker wrote:
> https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac
> <https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac>
>
>
> So in other words when the destination website does not really care about their users safety and the user sends
> unencrypted exit traffic through Tor then an exit relay operator could do the same like your internet provider
> (spying/changing your traffic).
> Properly setting MyFamily does not help in this case.
>
> That's nothing new.
>
> The only news is that it is getting exploited big scale now.
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
More information about the tor-relays
mailing list