Silk Road forums
Discussion => Security => Topic started by: springseed23 on March 09, 2013, 02:52 am
-
Any techies know enough about MIM attack to share some light?
-
Well thats the point of a MIM isn't it? The whole point is that they emulate what you think you should be seeing so look for any sort of visual clues that something doesn't look right or normal with the site.
-
What kind of MiM attack are you curious about(website,LAN network, arp spoofing ?etc)? might need some more information to help out.
In any case i imagine that it would be very hard to detect. For secure websites (https) i suppose you would need to constantly double check certificates making sure everything matches.
I really am not very tech savvy and look forward to an answer as well
-
Since the "Man in the middle" usually analyse/modify traffic before letting it go to its destination, in some case I think it's possible to detect it.
If you can monitor the timing for each "hop" to your destination, someone modifying data "on the fly" will most likely delay the packet hence reveal himself.
My point is that some MITM attacks should be detectable if you can do something similar to a "traceroute" and establish the "legitimate/usual" timing for your communication. In some case, some illegal ARP may be a clue that a MITM is happening (something like ARP-Poisoning attacks).
-
In any case i imagine that it would be very hard to detect. For secure websites (https) i suppose you would need to constantly double check certificates making sure everything matches.
Chrome does certificate pinning for some web sites, and Firefox has add-ons like Certificate Patrol and Convergence to help with that. I don't know how well they would work in TBB.
-
Some info about it here:
https://tails.boum.org/doc/about/warning/index.en.html#index3h1
-
Hmm-----
I guess when I talk about a MIM attach, I mean in TOR. I have noticed some odd things to my browser and some connections at some hotspots I frequent. Have not frequent them anymore, but I swear, every time i went to those locations, I noticed subtle differences in some things.
Here are some follow up questions.
1. Can a MIM attach happen anywhere, or does LE have to prepare from a single network----oh yea, all these questions are for TOR---not clearnet. I can care less if LE is watching porn with me:} hahah
2. How much resource would LE have to use to actually use to do a constant MIM attach through out different networks?
Wish I knew more about this stuff to be more detailed in my questions. But a big thanks to everyone who answered!! 1+ for you all!!! Thanks
-
1. Can a MIM attach happen anywhere, or does LE have to prepare from a single network----oh yea, all these questions are for TOR---not clearnet. I can care less if LE is watching porn with me:} hahah
They have to be on the wire between you and the destination server, like at your ISP, a router upstream of the server you are connecting to, a gateway between two autonomous zones, an internet exchange point, etc. The packets have to physically pass through an internet host that the adversary controls. The Chinese government can't MITM a connection between NYC and Boston, unless the routing is really fucked (or they hacked a server in between).
2. How much resource would LE have to use to actually use to do a constant MIM attach through out different networks?
Targeting a specific person or host is probably easy, as long as they are in a jurisdiction that LE controls. They could get a warrant, or ask your ISP nicely, and in some cases the ISP will cooperate without legal pressure. Targeting someone outside of LE's jurisdiction is harder.
That being said, decrypting a Tor circuit is considerably harder than an HTTPS connection. HTTPS relies on certificate authorities, which can be compelled to sign certificates for governments or LE to use in MITM attacks (some CAs have even been hacked, allowing the Iranian government to MITM its people, for example).
Tor's SSL uses private keys stored on the relays. You download the public keys in the relay descriptors from the directory authorities. Descriptors are signed by the directory authorities. The directory authority keys are hardcoded into the Tor client. That means, as long as you have an uncompromised Tor client (check the signature when you download it!), nobody can serve you fake descriptors, with fake relay keys, and thus establish fake connections with your Tor client.
BTW, what kind of "odd" things did you notice?
-
1. Can a MIM attach happen anywhere, or does LE have to prepare from a single network----oh yea, all these questions are for TOR---not clearnet. I can care less if LE is watching porn with me:} hahah
They have to be on the wire between you and the destination server, like at your ISP, a router upstream of the server you are connecting to, a gateway between two autonomous zones, an internet exchange point, etc. The packets have to physically pass through an internet host that the adversary controls. The Chinese government can't MITM a connection between NYC and Boston, unless the routing is really fucked (or they hacked a server in between).
2. How much resource would LE have to use to actually use to do a constant MIM attach through out different networks?
Targeting a specific person or host is probably easy, as long as they are in a jurisdiction that LE controls. They could get a warrant, or ask your ISP nicely, and in some cases the ISP will cooperate without legal pressure. Targeting someone outside of LE's jurisdiction is harder.
That being said, decrypting a Tor circuit is considerably harder than an HTTPS connection. HTTPS relies on certificate authorities, which can be compelled to sign certificates for governments or LE to use in MITM attacks (some CAs have even been hacked, allowing the Iranian government to MITM its people, for example).
Tor's SSL uses private keys stored on the relays. You download the public keys in the relay descriptors from the directory authorities. Descriptors are signed by the directory authorities. The directory authority keys are hardcoded into the Tor client. That means, as long as you have an uncompromised Tor client (check the signature when you download it!), nobody can serve you fake descriptors, with fake relay keys, and thus establish fake connections with your Tor client.
BTW, what kind of "odd" things did you notice?
Quick run down. Erased my computer. Went to a public wifi. Went to Tor down load page, and it came up as TOR being a dangerous site!! I got to a download page, I forget now, but then downloaded TOR. The connection took super long, and from what I remember, as it has been several weeks-month, but the tor button was flashing. I could not get into certain pages that I know would not be down. I got onto silkroad home page, but got a little freaked. Something else was amiss----something with the scripts. I just remember getting spooked. Taking of tor again, and then going to another spot, and downloaded. It worked good that time!!
Oh yea....I got several messages while at that hotspot about TOR being oudated. So I downloaded TOR twice more, and it was still outdated.
Sorry not much more info, but the experience just seemed odd.
But thanks a bunch for the info. Some of it over my head, but I understand it for the most part!!
1+
-
Quick run down. Erased my computer. Went to a public wifi. Went to Tor down load page, and it came up as TOR being a dangerous site!! I got to a download page, I forget now, but then downloaded TOR. The connection took super long, and from what I remember, as it has been several weeks-month, but the tor button was flashing. I could not get into certain pages that I know would not be down. I got onto silkroad home page, but got a little freaked. Something else was amiss----something with the scripts. I just remember getting spooked. Taking of tor again, and then going to another spot, and downloaded. It worked good that time!!
Oh yea....I got several messages while at that hotspot about TOR being oudated. So I downloaded TOR twice more, and it was still outdated.
That could be bad.
It sounds like a firewall was blocking your access to torproject.org. That is common because Tor is considered proxy bypass software.
You downloaded the browser bundle from somewhere, but you can't remember where. Most likely it was not from torproject.org. It could have been an old package archived on another site, which is why you kept getting those messages about it being outdated, or it could have been a compromised TBB.
You really need to be more careful. You should only download TBB from torproject.org. You should check the signature, which is under the orange download button, at the link titled "sig".
Whenever you download a new bundle, you should have a PGP program with you, with Erinn Clark's key in your key chain, so you can verify the signature. Instructions on doing that are here: https://www.torproject.org/docs/verifying-signatures.html.en
Those instructions can always be found in the "what is this" link next to the "sig" link.
But thanks a bunch for the info. Some of it over my head, but I understand it for the most part!!
tl;dr A verified signature on your browser bundle signficantly reduces your chances of getting MITM'ed, although the same low probability threat of connecting to malicious relays still applies.
-
Can we agree that with a legitimate version of the TBB, even with a MITM, it's very hard to know the exit node of your Tor circuit ?
I wonder how strong is the encryption used in Tor. Would it really hold long supercomputers ?
Oh and finally, can someone confirm that when you connect to a .onion website, the full path to server is encrypted ? As far as I know, when you connect to a clearnet site, the last hop after the exit node is of course not encrypted. But for a .onion sites, both side are running tor dedicated software and the encryption is full from host to server.
Concerning clearnet sites through Tor: Why is there so much warnings about accessing clearnets sites over Tor ? Is the end server of a clearnet website able to know your own IP address ? Or it's just because of the flash/scripts and other stuff that can give this information to the end server.
In other words: Would a perfectly configured/UpToDate TBB leave any compromising information on a clearnet site ?
Thanks ! And sorry for hijacking a bit the topic, but since we speak of Tor security...
-
Offtopic maybe but some Tor exit nodes do MITM. I do quite a lot of browsing through Tor, and I've received invalid SSL certs a couple of times for sites which don't use self-signed certs.
-
Can we agree that with a legitimate version of the TBB, even with a MITM, it's very hard to know the exit node of your Tor circuit ?
If an attacker can decrypt your connection, he can read the data. He doesn't need to know your exit node. That is much harder to do with a Tor circuit than with an HTTPS connection. Like the poster above said, HTTPS connections can be intercepted at the exit nodes with widely available programs like sslstrip. However, this interception is noticeable if you are paying attention, because you lose the lock icon. This is why mixed content is bad, it gets us used to losing the lock icon.
I wonder how strong is the encryption used in Tor. Would it really hold long supercomputers ?
Tor uses the TLS protocol with a 128 bit AES stream cipher and 1024 bit RSA keys for authentication. If you want the nitty gritty details, you can read the protocol spec:
https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=tor-spec.txt
In terms of encrypting the stream, Tor circuits are basically the same as HTTPS connections (they could be made stronger with AES-256 encryption, but AES-128 would take longer than your lifetime to decrypt with today's technology). The important difference between Tor circuits and HTTPS connections, as I said in a previous post, is that it's much harder to break Tor's authentication mechanism.
Oh and finally, can someone confirm that when you connect to a .onion website, the full path to server is encrypted ?
Since you're connecting Tor client to Tor client, yes, the entire path is encrypted.
Concerning clearnet sites through Tor: Why is there so much warnings about accessing clearnets sites over Tor ? Is the end server of a clearnet website able to know your own IP address ? Or it's just because of the flash/scripts and other stuff that can give this information to the end server.
Yeah, it's mostly the dangers of Flash and Java. I think the dangers of JavaScript are exaggerated. Yes, JavaScript can be dangerous too, but it's much better sandboxed inside the browser. Flash and Java are run by plugins that are separate processes and can more easily bypass the browser's proxy settings. That's why NoScript was added to the browser bundle. It blocks Flash and Java even when it is disabled.
In other words: Would a perfectly configured/UpToDate TBB leave any compromising information on a clearnet site ?
Well, if you post your name on the site, there's nothing Tor can do to save you.
But I get what you're saying, and the answer is that the browser bundle is specially configured to greatly reduce data leaks and fingerprinting attacks that could be used to identify you. Nothing is perfect of course, but browsing clearnet with TBB in its default configuration is considered safe enough by the Tor developers that they distribute it that way.
-
I should add that there's a trade off between security and convenience. Tech savvy Tor users have asked for JavaScript to be disabled by default, but that would break 80% of clearnet sites. The unsavvy users would think that TorBrowser doesn't work and abandon it. The Tor devs believe that using Tor with JavaScript is better than not using Tor at all, so they distribute it with JavaScript enabled.
It is safer to disable JavaScript, but I personally don't consider it a threat when doing a Google search or browsing Wikipedia, for example. I'd be more worried about obscure web sites.
-
If you are part of a proper MiTM attack, then no, you won't be able to tell.
Sorry.
-
If you are using Windows/Linux download XArp. It will detect suspicous ARP activity and notify you when something happens such as router MAC changing. It works really well at least in my experience.
-
I didn't read the entire thread when I read this. But this utility works for detecting arp poisoning attacks
-
Always check the PGP signature or hash of any security related software you download, especially anything from the Tor Project website or GPG software. Sadly these procedures are less straight forward than they ought to be, but you should still do them every time.
-
Tip: if you have a blockchain.info wallet, always start the URL with https://. blockchain.info doesn't redirect you from http:// to https://, thereby exposing you to MITM attacks from Tor exit nodes.
-
Always check the PGP signature or hash of any security related software you download, especially anything from the Tor Project website or GPG software. Sadly these procedures are less straight forward than they ought to be, but you should still do them every time.
I admit, I am lazy sometimes, and a big thanks to your contribution to SR Pine. Have read many of your post over the past year, and am safer for it----- Thanks for all who have chimed in!!
-
Keeping this thread alive. I am back at the hotspot location, and I remember exactly the deal now.
Please read, and give your thoughts!!!!
I have a updated Tor bundle. I logged into Tor at this hotspot. The first log in, Tor would not move past accessing network. So I stopped TOR, and reloaded. TOR page came up great, green letters. However, my TOR button is now flashing with a yellow ! mark. It says I need to update my TOR button!
This happend to me last time, so I did it, and then got all the crazy shit that led me to opening this thread up in the first place.
Does anyone else get ! flashes on their onion icon in Auroa when your TOR needs updating, or does your TOR page tell you.
WTF-------Hots spots more danger than my house:{
-
Yes, that means you need to update your browser bundle.
They recently switched from Firefox 10 to Firefox 17. Because there are so many differences, you can't extract the browser bundle over top of the old one. You have to extract it into a new folder. That may be why you can't connect.
-
I do not use firefox, I use aroura.
And oh----did not know you cant overwrite TOR downloads.
Thanks for the input