Delivery-Date: Wed, 08 Jul 2015 04:43:33 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id ED60A1E02F8;
	Wed,  8 Jul 2015 04:43:31 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 9DAA63622A;
	Wed,  8 Jul 2015 08:43:23 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 3521236224
 for <tor-talk@lists.torproject.org>; Wed,  8 Jul 2015 08:43:20 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id uP71eAN2HClg for <tor-talk@lists.torproject.org>;
 Wed,  8 Jul 2015 08:43:20 +0000 (UTC)
Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com
 [IPv6:2a00:1450:4010:c04::231])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id DC089360FB
 for <tor-talk@lists.torproject.org>; Wed,  8 Jul 2015 08:43:19 +0000 (UTC)
Received: by lbbpo10 with SMTP id po10so51680335lbb.3
 for <tor-talk@lists.torproject.org>; Wed, 08 Jul 2015 01:43:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :content-type; bh=V9rncXFvhxhCbghRoOhKwnsfLm7ncLLiVIAbg/972wI=;
 b=BBJNo5xA6U+pnp9zIyhj0geJlFBg2zUd9RzVtCu7gmAjA4wWMXcijhh+xorZ7+pcgw
 3PvgSYH5LkcmubbVy1kSvkw1ny7qXiVB9FYGO5cCbmAQ0ecKXThCvQWbjl7Xlg3eVDip
 RXUOi01nUzdjx4yWsn13ssq6vkTy3ysc2bwKnPOgLnPak9EfQmsCxcAZZBBQrKlspO0T
 W/+YdibIaWfX0gSnrhIRususQrTp4v4wWd01eEv1zdU0bELgUhygWcwn/2y87L/WXikC
 OHPeduZBd9Y1e8Nnu7izEVGUQysXVvyWNs+yESi8sP1f3Q8ckd3Yg+e746mwf+cqCYFb
 qd0w==
MIME-Version: 1.0
X-Received: by 10.112.201.199 with SMTP id kc7mr8256240lbc.25.1436344996682;
 Wed, 08 Jul 2015 01:43:16 -0700 (PDT)
Received: by 10.25.90.80 with HTTP; Wed, 8 Jul 2015 01:43:16 -0700 (PDT)
In-Reply-To: <559BEFAD.9090604@countermail.com>
References: <559BE795.8020505@gmail.com>
	<559BEFAD.9090604@countermail.com>
Date: Wed, 8 Jul 2015 01:43:16 -0700
Message-ID: <CAJVRA1TazX+WbSsKYFacbzwkcm75q-r8=BJ+rm_7k-c9rRwkkg@mail.gmail.com>
From: coderman <coderman@gmail.com>
To: tor-talk@lists.torproject.org
Subject: Re: [tor-talk] Regarding the Hacking Team leak and the "TOR
 interception" (all uppercase Tor obviously)
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 7/7/15, chloe <chloe@countermail.com> wrote:
> ...
> how would this method work if an infected client tries to visit a hidden
> service?


there are at least three common ways:

1. using an evil proxy, as directed above. they install a rogue CA so
they can sign for any SSL/TLS required.  this works for hidden
services, because their proxy strips ssl, then forwards to hidden
service. e.g. https://www.facebookcorewwwi.onion

2. using memory scraping - they don't appear to do this, but other
exploit kit does. if your browser is rendering pages and accepting
input, it does so on the local machine, and inspecting local machine
memory gets at these bits before encryption (before network I/O)

3. using key exfiltration, so that encrypted streams captured on the
network can be decrypted later. note that exfiltration key material is
very small, easy to hide. and then gets you access to all the
plain-text. call this the #BULLRUN method.

best regards,
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

