Delivery-Date: Mon, 30 Jun 2014 20:41:38 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 357751E0C63
	for <archiver@seul.org>; Mon, 30 Jun 2014 20:41:37 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id B9F332FAE6;
	Tue,  1 Jul 2014 00:41:36 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 22CD32F668
 for <tor-talk@lists.torproject.org>; Tue,  1 Jul 2014 00:41:11 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id lrQBjQ_TlN9q for <tor-talk@lists.torproject.org>;
 Tue,  1 Jul 2014 00:41:10 +0000 (UTC)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com
 [IPv6:2a00:1450:400c:c05::22d])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 5071E2F41D
 for <tor-talk@lists.torproject.org>; Tue,  1 Jul 2014 00:41:10 +0000 (UTC)
Received: by mail-wi0-f173.google.com with SMTP id cc10so6929363wib.0
 for <tor-talk@lists.torproject.org>; Mon, 30 Jun 2014 17:41:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:reply-to:sender:from:date:message-id:subject:to
 :content-type; bh=SYSPpr2EKPCqtOHgPP/z7Sg4VlKtzfeMsqUindkew8A=;
 b=t2RuQ0DypmCEmVKYMjjRWs9rDJlZ/39NFZcHIlCnLVQ3ao+DBihhGklF9zp3ZhJQsv
 NqpanXQCKxkGyRoChRrSymwOOWPR5X8EkfrGDlM9z0LyJwkFxqbJqqMnhAYO9MmwOPzZ
 otwKVq2ai90nT9JT56KJ5rNu16eyfichzD91s2XfcJjUjXfmXCjijsUmlZlPpmw082c+
 etIRHQl0ugfvfUgQ11AogbuaPBAEn//jD7Dx0z4flE5TnW+NYS+bzPvXjrA5qELc1yCe
 n7AWtPKrvondgErwYMaT0JXY1Jge8RikmmMNpZv7eMuUgn7kxUskzsIhxxvGEiv5I1Ar
 4csw==
X-Received: by 10.194.62.140 with SMTP id y12mr48983404wjr.27.1404175267103;
 Mon, 30 Jun 2014 17:41:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.217.150.6 with HTTP; Mon, 30 Jun 2014 17:40:37 -0700 (PDT)
From: Rich Jones <rich@openwatch.net>
Date: Mon, 30 Jun 2014 17:40:37 -0700
X-Google-Sender-Auth: 71D_Qag1qR19-KwTsnqKF83-y5c
Message-ID: <CADJYzxJW2CX2vVuTC-tz1cEF_1D+wc_nYWcpkzHu0m56AeEQxA@mail.gmail.com>
To: tor-talk@lists.torproject.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: [tor-talk] Report of Pervasive Active MiTM Attack Against Hidden
	Services
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Has anybody responded to this claim yet?
http://s7kgnncq3zbe3yza.onion/windex.shtml#mitm

I don't understand how such an attack would be possible without decrypting
the traffic, unless this is actually a phishing-and-proxy attack and not a
"true" MiTM. (How would an MiTM be able to manipulate traffic from a hidden
service without decrypting the contents? I was under the impression that
http request to hidden services should be end to end encrypted.)

Either way, still worth taking note of.

R

via Onion Soup:

 *05/03/14 - 06/26/14 *
>
> * For a period of 3 weeks, a Man in The Middle Attack has pervaded
> onionland. To date, over 400 .onion domains are known to have been
> targeted. The attack consists of at least one person creating new .onion
> addresses, cloning websites "on-the-fly" and re-writing the original sites'
> contents. The attacker can re-write any text on an original page to a
> "cloned" page - in real time. The primary intent appears to be BitCoin
> theft. Once a BitCoin ID is re-written to one of the attacker's IDs,
> unwitting customers send BitCoin to his ID, instead of the intended party. *
>
> * Even though BitCoin theft may be the object - with non-market sites
> cloned, a site's reputation can be ruined, connections hi-jacked and
> legitimate traffic diverted from the original site. *
>
> * The problems with these attacks are: (1) they are consuming the
> resources of .onion hosters by the attacker's cloning re-directs (2) they
> are diverting visitors via altered hyper-links to the fake sites and (3)
> BitCoin fraud is being committed. *
>
> * Below is what a HEAD request for a cloned site returned after called
> from the onion sniffer app
> <http://s7kgnncq3zbe3yza.onion/windex.shtml#sniff>. See the bolded "302"
> re-direct (to the original site) and "PHPSESSID" in the "Set-Cookie:"
> header? *
>
>
> * Connection to 42w2zwtwxqbhexsm.onion 80 port [tcp/www] succeeded! *
>
> * HTTP/1.1 302 Found *
>
> * Date: Sat, 03 May 2014 18:28:08 GMT *
>
> * Server: Apache/2.4.9 (Fedora) PHP/5.5.11 *
>
> * X-Powered-By: PHP/5.5.11 *
>
> * Set-Cookie: PHPSESSID=dqqct52sp913aq0tcokhef2lr1; path=/ *
>
> * Expires: Thu, 19 Nov 1981 08:52:00 GMT *
>
> * Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0 *
>
> * Pragma: no-cache *
>
> * Location: http://n6pbizsbykwxmydz.onion/
> <http://n6pbizsbykwxmydz.onion/> *
>
> * Connection: close *
> * Content-Type: text/html; charset=UTF-8 *
>
> * The only known means of blocking this attack is to match the specific
> cookie or the generalized "path" statement in the "Set-Cookie:" header
> field. With lighttpd, a rule can be created (in lighttpd.conf) to deny
> access to the attacker's attempts to clone the original pages by
> re-directs. *
>
>
>
> * $HTTP["cookie"] =~ "PHPSESSID" { url.access-deny = ( "" ) } *
> *However, the first cookie makes it through; that is, on the first pass, a
> browser can access the fake site, but a subsequent hit on any page of the
> fake site is blocked, and a "403 - Forbidden" error thrown up. To force a
> 403 immediately*
>
> *after the first page loads, the webpage can be refreshed to a new page. *
>
> *Update: the cloner no longer sends the PHPSESSID cookie. An NID (session)
> cookie is currently (06/26/14) being transmitted. [1
> <http://s7kgnncq3zbe3yza.onion/windex.shtml#cook>] To block it, use the
> following rule, or - to thwart his future, cookie plans use the more
> generalized path rule [2 <http://s7kgnncq3zbe3yza.onion/windex.shtml#path>]
> - along with refreshing the page: *
>
>
>
> * $HTTP["cookie"] =~ "NID" { url.access-deny = ( "" ) } *
>
> * Copy index.html to sindex.html. Place the following between the <head>
> and </head> of index.html. *
>
> * <meta http-equiv="refresh" content="0; url=sindex.html"> *
>
> * Finally, the attacker's script cannot parse ascii code. The first (or
> any other) letter of a site's hostname can be substituted for - by its
> ascii equivalent <http://www.asciitable.com>. The warning notice should
> consist of ascii code and text (which is rendered by the browser as text).
> To warn visitors of a site that connection hi-jacking attempts abound on
> the darknet and to identify your site as the original, a warning -
> containing something to the effect below and anchored to the head of the
> index page - should be adopted; The cloner cannot alter ascii on-the-fly,
> and anyone visiting the fake site can detect the hi-jacked connection - by
> merely inspecting the warning. *
>
> *WARNING: connection hi-jacking attacks are rampant in onionland. This
> site's hostname is s7kgnncq3zbe3yza.onion. Look at the navigation bar. If
> you see any other hostname, leave immediately! *
>
>
> *notes * *(1) Here's what Chrome reports about the NID cookie: *
>
>
>
>
>
>
>
>
> * Name: NID Content: jcf27o21sdhok7fga77g0cmk42 Domain:
> 42w2zwtwxqbhexsm.onion Path: / Send for: Any kind of connection Accessible
> to script: Yes Created: Friday, June 27, 2014 3:03:04 AM Expires: When the
> browsing session ends *
>
> * The Lighttpd rule blocks the cookie. The "Expires:" line explains why a
> 403 is thrown up when a page is loaded and refreshed (or any other page on
> the site is visited) - AFTER the browser is closed and re-opened. Below is
> the header from the cloner's most recent arrangement. Notice: the different
> Server, cookie and Location. *
>
>
> * Connection to 42w2zwtwxqbhexsm.onion 80 port [tcp/www] succeeded! *
>
> * HTTP/1.1 302 Moved Temporarily *
>
> *Server: nginx *
>
> * Date: Sat, 28 Jun 2014 07:57:04 GMT *
>
> * Content-Type: text/html *
>
> * Connection: close *
>
> *Set-Cookie: NID=h3fr5ohquqdqnnnmcgjhuhdfd6; path=/ *
>
> * Expires: Thu, 19 Nov 1981 08:52:00 GMT *
>
> * Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0 *
>
> * Pragma: no-cache *
>  *Location: http://kpvz7ki2lzvnwve7.onion <http://kpvz7ki2lzvnwve7.onion>*
>
*(2) The alternate (more generalized) blocking rule matches a different
> portion of the cookie field ("path"), then it denies access to the clone
> site. N.B., this rule will block all sites from sending cookies through
> your server. *
>
>
>
> * $HTTP["cookie"] =~ "path" { url.access-deny = ( "" ) } *
>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

