[tor-talk] One way to protect onions against cloning attack

Nurmi, Juha juha.nurmi at ahmia.fi
Wed Mar 9 08:20:50 UTC 2016

And the attacker immediately started to override CSS rules. I made a
counter attack again. See

REAL: http://msydqstlz2kzerdg.onion/
FAKE: http://msydqjihosw2fsu3.onion/

Let's see what is the next move from the attacker. He is probably reading
this mailing list.


On Tue, Mar 8, 2016 at 2:50 PM, Nurmi, Juha <juha.nurmi at ahmia.fi> wrote:

> Hi,
> As you may have heard someone runs fake sites on a similar address to the
> original ones and tries to fool people with that. Fake sites are transparent
> proxies with MITM.
> I added this detection to ahmia.fi's onion site:
> REAL: http://msydqstlz2kzerdg.onion/
> FAKE: http://msydqjihosw2fsu3.onion/
> This is a CSS trick and works without JavaScript. CSS checks the address
> using regexp and if it is not correct it will activate warning text.
> @-moz-document
> regexp('(?!https?://ahmia\\.fi|https?://localhost|https?://127\\.0\\.0\\.1|
> http://msydqst.*2kzerdg\\.onion).*') {
> /* Alternative CSS content rules for fake site. */
> }
> It's not perfect solution but again we can make the attacker's life hard.
> Peace,
> Juha

More information about the tor-talk mailing list