Delivery-Date: Fri, 27 Jun 2014 11:57:10 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 2090A1E0A95
	for <archiver@seul.org>; Fri, 27 Jun 2014 11:57:09 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id EEFD02F841;
	Fri, 27 Jun 2014 15:57:06 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id AA8DD2FAAA
 for <tor-talk@lists.torproject.org>; Fri, 27 Jun 2014 15:42:14 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id pdsad10AUybd for <tor-talk@lists.torproject.org>;
 Fri, 27 Jun 2014 15:42:14 +0000 (UTC)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 810622FA92
 for <tor-talk@lists.torproject.org>; Fri, 27 Jun 2014 15:42:14 +0000 (UTC)
Received: from fruiteater.riseup.net (fruiteater-pn.riseup.net [10.0.1.74])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified))
 by mx1.riseup.net (Postfix) with ESMTPS id B2CF555AB8
 for <tor-talk@lists.torproject.org>; Fri, 27 Jun 2014 08:42:11 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (Authenticated sender: phw@fruiteater.riseup.net)
 with ESMTPSA id 4AF0CE28
Date: Fri, 27 Jun 2014 11:42:10 -0400
From: Philipp Winter <phw@nymity.ch>
To: tor-talk@lists.torproject.org
Message-ID: <20140627154210.GE3723@nymity.ch>
Mail-Followup-To: tor-talk@lists.torproject.org
References: <1403868390.19009.YahooMailBasic@web122402.mail.ne1.yahoo.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1403868390.19009.YahooMailBasic@web122402.mail.ne1.yahoo.com>
X-PGP-Fpr: B369 E7A2 18FE CEAD EB96  8C73 CF70 89E3 D7FD C0D0
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Virus-Scanned: clamav-milter 0.98.1 at mx1
X-Virus-Status: Clean
Subject: Re: [tor-talk] Bad Exit Nodes.
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Fri, Jun 27, 2014 at 04:26:30AM -0700, Bobby Brewster wrote:
> How could a person who is sniffing / stripping exit traffic be detected?

We recently did some work on that:
<http://www.cs.kau.se/philwint/spoiled_onions/>

Long story short: Active attacks such as sslstripping are easy to detect
because they modify network traffic.  Passive attacks such as traffic sniffing
is more difficult to detect but you can catch sniffers if they later decide to
log in with sniffed credentials.

> Also, how are bad nodes determined. For example, iiioooeee is a bad node.
> Why?  What makes it bad?  It is not an exit node.

"Bad" typically means either malicious or misconfigured.  Some relays were
assigned the BadExit flag because their DNS resolver blocks domain categories
such as pornography or proxy/anonymiser.  BadExiting a relay is a last resort
and sending an email to the exit relay operator is typically enough to fix the
problem.

The relay iiioooeee has the BadExit flag because it is located in Iran.  Here's
the discussion leading to that:
<https://bugs.torproject.org/4923>.

> However, HKT01 is an exit node that is marked bad.  Why?  Interestingly,
> HKT02 which is also an exit node is not marked bad even though they are on
> the same subnet as HKT01.

The HKT relays are not malicious but seem to be subject to the Great Firewall's
DNS poisoning.  While that won't hurt you, it can be quite annoying when trying
to connect to web sites which are blocked in China.

HKT02 is not marked as bad yet because it is not clear if it's a good idea to
block all relays which sometimes return broken DNS records.  Many exit relays
use crappy resolvers and blocking all of them might be worse for the Tor
network than being redirected to unexpected web sites every now and then.

Cheers,
Philipp
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

