[tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
disrupt_the_flow
disrupt_the_flow at parrotsec.org
Fri Aug 14 18:11:02 UTC 2020
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200814/17350dd6/attachment-0001.htm>
-------------- next part --------------
On August 14, 2020 5:12:35 PM UTC, Roger Dingledine <arma at torproject.org> wrote:
>On Thu, Aug 13, 2020 at 03:34:55PM +0200, niftybunny wrote:
>> This shit has to stop. Why are the relays in question still online?
>
>Hm? The relays are not online -- we kicked them in mid June.
>
>We don't know of any relays right now that are attacking users.
>
>Or said another way, if anybody knows of relays that are doing any
>attacks
>on Tor users, ssl stripping or otherwise, please report them. I believe
>that we are up to date and have responded to all reports.
>
>That said, there is definitely the uncertainty of "I wonder if those
>OVH relays are attacking users -- they are run by people I don't know,
>though there is no evidence that they are." We learned from this case
>that making people list and answer an email address didn't slow them
>down.
>
>I still think that long term the answer is that we need to shift the
>Tor network toward a group of relay operators that know each other --
>transparency, community, relationships, all of those things that are
>costly to do but also costly to attack:
>https://gitlab.torproject.org/tpo/metrics/relay-search/-/issues/40001
>https://lists.torproject.org/pipermail/tor-relays/2020-July/018656.html
>https://lists.torproject.org/pipermail/tor-relays/2020-July/018669.html
>
>But the short term answer is that nobody to my knowledge has shown us
>any current relays that are doing attacks.
>
>Hope that helps,
>--Roger
>
>_______________________________________________
>tor-relays mailing list
>tor-relays at lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Roger had Tor Project taken some countermeasures against this type of attack? For example quoting from nusenu's article:
> As an immediate countermeasure against this ongoing issue the Tor Project could require physical address verification for all new (joined in 2020) Tor relay operators that run more than 0.5% of the Tor network’s exit or guard capacity. Why 0.5%? It is a balance between the risk of malicious Tor relay capacity and the required effort for verification. Using 0.5% as a threshold is a realistically low number of operators to verify. As of 2020–08–08 there are just five exit and one guard operator that match these criteria (new and big). Some of them have similarities to previously detected malicious groups. Others are somewhat known with a good reputation already. So the amount for this initial verification is limited to sending 6 letters to a provided physical address (more likely actually 3 since some might not request the physical address verification).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 3845 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200814/17350dd6/attachment-0001.key>
More information about the tor-relays
mailing list