[tor-talk] Regarding the Hacking Team leak and the "TOR interception" (all uppercase Tor obviously)

aka akademiker1 at googlemail.com
Tue Jul 7 15:56:16 UTC 2015

The browser would send a socks5 connect request to the hacking team
proxy server, which would connect to the real hidden service and
transparently proxy the content to the browser. If the hidden service
had an SSL connection (like facebook hs), it would try to MITM with the
installed cert.
The infected client would have to use internet explorer or chrome, setup
for tor usage.

chloe wrote:
> Hello,
> how would this method work if an infected client tries to visit a hidden
> service?
> Regards,
> Chloe
> aka skrev den 7/7/2015 16:52:
>> Nothing special, they try to infect the machine using browser exploits
>> while the victim surfs without Tor. The malware then manually installs
>> an ssl cert and redirects the browser proxy from to
>> evilguys.com:9050, which does ssl interception with that installed ssl
>> cert. At the time of leak only browsers on mac and internet explorer on
>> windows were supported, because they used registry keys to change proxy
>> settings...
>> Their attack currently doesn't work on TBB, not because it's securer,
>> but because Hacking Team is incapable to program proper
>> pre-encryption-interception on the victim machine. If your computer is
>> infected ALL your traffic CAN be intercepted by definition, it just
>> takes some *able* malware developers to implement it.
>> Fun fact: old, public source malware like ZeuS is able to intercept all
>> encrypted traffic in internet explorer and firefox (including TBB).
>> So don't panic if hipsters like jacob post pdfs without
>> reading/understanding them.

More information about the tor-talk mailing list