Opened 7 years ago

Closed 6 years ago

#8657 closed defect (fixed)

Bad russian exit node attacks connections to Wikipedia

Reported by: cypherpunks Owned by:
Priority: High Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Keywords: bad-exit tor-auth
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I detected a man-in-the-middle attack due to a bad exit node.

While connecting encryptedly to a web page of Wikipedia, the TorBrowser produces a SSL certificate warning.

Name of the exit node: Unnamed
IP address: 176.99.10.92
Location: Russia

CN: main.authority.com
O: Main Authority
OU: Certificate Management

Issued on: 03/14/2013
Expires on: 03/14/2014

SHA1 fingerprint: 0C:FF:4C:A3:5E:F3:A7:64:20:1F:55:0B:32:3F:96:81:91:65:0F:ED
MD5 fingerprint: 65:EE:3C:09:75:0D:E5:32:22:2F:0B:3C:7D:8C:A4:72

Child Tickets

Attachments (2)

false certificate.pem (948 bytes) - added by cypherpunks 7 years ago.
mitm certificate
false certificate 2.pem (1.4 KB) - added by cypherpunks 7 years ago.

Download all attachments as: .zip

Change History (14)

Changed 7 years ago by cypherpunks

Attachment: false certificate.pem added

mitm certificate

comment:1 Changed 7 years ago by cypherpunks

does not only target wikipedia.

comment:2 Changed 7 years ago by cypherpunks

No one interested so far?

Here is another bad exit node:

"Unnamed"
178.250.246.37 (Russia)

It uses a false certificate for intercepting connections to Twitter for example.

SHA1
27:ED:C9:87:EF:5A:25:05:D9:54:F5:A4:3A:48:E0:6B:91:00:65:18

MD5
01:0A:37:56:06:2A:7E:28:E7:8E:E3:E7:B8:FB:2D:DE

CN: main.authority.com
O: Main Authority
OU: Certificate Management

comment:3 Changed 7 years ago by cypherpunks

another "cypherpunks" account user here --

yeah, i've been getting three of these main.authority.com things the last two days. one wikipedia, one a popular blog, one i forgot. i'm attaching another one of these false certificates.

a related question, how do you find out which exit node is responsible when torbrowser gives you a ssl warning?

Changed 7 years ago by cypherpunks

Attachment: false certificate 2.pem added

comment:4 Changed 7 years ago by arma

We added the badexit flag to 176.99.10.92 two days ago.

Interestingly, I'd already added it to 178.250.246.37 on March 6 on moria1, but tor26 and turtles hadn't because they weren't convinced. I think I just got tor26 to add it.

This is certainly a growing problem -- a particular entity is running many fast exits, many in Russia but not all, and doing this mitm thing. We might have to consider further steps in the arms race (the eventual step is to establish a strong social network between exit relay operators, but it would be good to put that off a while more).

comment:5 in reply to:  3 Changed 7 years ago by arma

Replying to cypherpunks:

a related question, how do you find out which exit node is responsible when torbrowser gives you a ssl warning?

The best answer I've got, I'm afraid, is to rush over to the network map view and see what your circuit is that has that stream attached to it.

comment:6 Changed 7 years ago by arma

Priority: blockermajor

comment:7 Changed 7 years ago by arma

Ok to close? Or are there more? :)

comment:8 Changed 7 years ago by cypherpunks

arma: i'm using tor browser without vidalia. is there anything narrower than "GETINFO circuit-status"?

comment:9 Changed 7 years ago by arma

You're using tor browser without vidalia? How odd.

getinfo circuit-status and then getinfo stream-status and then you can match them up. Assuming your browser hasn't hung up yet.

That said, if you're talking to the control port directly, listen to circ and stream events, and then you'll have a log of what happened in the past, which is even better.

comment:10 Changed 7 years ago by nickm

Keywords: bad-exit tor-auth added

comment:11 Changed 7 years ago by nickm

Milestone: Tor: unspecified

comment:12 Changed 6 years ago by phw

Resolution: fixed
Status: newclosed

Closing since the exit relay was given the badexit flag.

Note: See TracTickets for help on using tickets.