On 7/7/15, chloe <[email protected]> wrote: > ... > how would this method work if an infected client tries to visit a hidden > service?
there are at least three common ways: 1. using an evil proxy, as directed above. they install a rogue CA so they can sign for any SSL/TLS required. this works for hidden services, because their proxy strips ssl, then forwards to hidden service. e.g. https://www.facebookcorewwwi.onion 2. using memory scraping - they don't appear to do this, but other exploit kit does. if your browser is rendering pages and accepting input, it does so on the local machine, and inspecting local machine memory gets at these bits before encryption (before network I/O) 3. using key exfiltration, so that encrypted streams captured on the network can be decrypted later. note that exfiltration key material is very small, easy to hide. and then gets you access to all the plain-text. call this the #BULLRUN method. best regards, -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
