To verify though, this has no effect on someone using tor and staying on .onion sites or if you are using https end-to-end right?
Honestly, if you use Tor and don't use SSL that seems like laziness to me and deserves to be caught. On 1/22/2014 9:54 AM, coderman wrote: > Scientists detect “spoiled onions” trying to sabotage Tor privacy network > Rogue Tor volunteers perform attacks that try to degrade encrypted > connections. > by Dan Goodin - Jan 21 2014, 2:42pm PST > http://arstechnica.com/security/2014/01/scientists-detect-spoiled-onions-trying-to-sabotage-tor-privacy-network/ > > or reason #16256 to crypto end to end... > > --- > > Computer scientists have identified almost two dozen computers that > were actively working to sabotage the Tor privacy network by carrying > out attacks that can degrade encrypted connections between end users > and the websites or servers they visit. > > The "spoiled onions," as the researchers from Karlstad University in > Sweden dubbed the bad actors, were among the 1,000 or so volunteer > computers that typically made up the final nodes that exited the > Tor—short for The Onion Router—network at any given time in recent > months. Because these exit relays act as a bridge between the > encrypted Tor network and the open Internet, the egressing traffic is > decrypted as it leaves. That means operators of these servers can see > traffic as it was sent by the end user. Any data the end user sent > unencrypted, as well as the destinations of servers receiving or > responding to data passed between an end user and server, can be > monitored—and potentially modified—by malicious volunteers. Privacy > advocates have long acknowledged the possibility that the National > Security Agency and spy agencies across the world operate such rogue > exit nodes. > > The paper—titled Spoiled Onions: Exposing Malicious Tor Exit Relays—is > among the first to document the existence of exit nodes deliberately > working to tamper with end users' traffic (a paper with similar > findings is here). Still, it remains doubtful that any of the 25 > misconfigured or outright malicious servers were operated by NSA > agents. Two of the 25 servers appeared to redirect traffic when end > users attempted to visit pornography sites, leading the researchers to > suspect they were carrying out censorship regimes required by the > countries in which they operated. A third server suffered from what > researchers said was a configuration error in the OpenDNS server. > > The remainder carried out so-called man-in-the-middle (MitM) attacks > designed to degrade encrypted Web or SSH traffic to plaintext traffic. > The servers did this by using the well-known sslstrip attack designed > by researcher Moxie Marlinspike or another common MitM technique that > converts unreadable HTTPS traffic into plaintext HTTP. Often, the > attacks involved replacing the valid encryption key certificate with a > forged certificate self-signed by the attacker. > > "All the remaining relays engaged in HTTPS and/or SSH MitM attacks," > researchers Philipp Winter and Stefan Lindskog wrote. "Upon > establishing a connection to the decoy destination, these relays > exchanged the destination's certificate with their own, self-signed > version. Since these certificates were not issued by a trusted > authority contained in TorBrowser's certificate store, a user falling > prey to such a MitM attack would be redirected to the about:certerror > warning page." > > From Russia with love > > The 22 malicious servers were among about 1,000 exit nodes that were > typically available on Tor at any given time over a four-month period. > (The precise number of exit relays regularly changes as some go > offline and others come online.) The researchers found evidence that > 19 of the 22 malicious servers were operated by the same person or > group of people. Each of the 19 servers presented forged certificates > containing the same identifying information. The virtually identical > certificate information meant the MitM attacks shared a common origin. > What's more, all the servers used the highly outdated version 0.2.2.37 > of Tor, and all but one of the servers were hosted in the network of a > virtual private system providers located in Russia. Several of the IP > addresses were also located in the same net block. > > The researchers caution that there's no way to know that the operators > of the malicious exit nodes are the ones carrying out the attacks. > It's possible the actual attacks may be carried out by the ISPs or > network backbone providers that serve the malicious nodes. Still, the > researchers discounted the likelihood of an upstream provider of the > Russian exit relays carrying out the attacks for several reasons. For > one, the relays relied on a diverse set of IP address blocks, > including one based in the US. The relays frequently disappeared after > they were flagged as untrustworthy, researchers also noted. > > The researchers identified the rogue volunteers by scanning for server > relays that replaced valid HTTPS certificates with forged ones. That > might have helped to detect certificate forgery attacks such as the > one used in 2011 to monitor 300,000 Gmail users—wouldn't be detected > using the methods devised by the researchers. The researchers don't > believe the malicious nodes they observed were operated by the NSA or > other government agencies. > > "Organizations like the NSA have read/write access to large parts of > the Internet backbone," Karlstad University's Winter wrote in an > e-mail. "They simply do not need to run Tor relays. We believe that > the attacks we discovered are mostly done by independent individuals > who want to experiment." > > While the confirmation of malicious exit nodes is important, it's not > particularly surprising. Tor officials have long warned that Tor does > nothing to encrypt plaintext communications once it leaves the > network. That means ISPs, remote sites, VPN providers, and the Tor > exit relay itself can all see the communications that aren't encrypted > by end users and the parties they communicate with. Tor officials have > long counseled users to rely on HTTPS, e-mail encryption, or other > methods to ensure that traffic receives end-to-end encryption. > > The researchers have proposed a series of updates to the "Torbutton" > software used by most Tor users. Among other things, the > proof-of-concept software fix would use an alternative exit relay to > refetch all self-signed certificates delivered over Tor. The software > would then compare the digital fingerprints of the two certificates. > It's feasible that the changes might one day include certificate > pinning, a technique for ensuring that a certificate presented by > Google, Twitter, and other sites is the one authorized by the operator > rather than a counterfeit one. Several hours after this article went > live, Winter published this blog post titled What the "Spoiled Onions" > paper means for Tor users. >
