Spoiled Onions: Exposing Malicious Tor Exit Relays

P. Winter, R. Köwer, M. Mulazzani, M. Huber, S. Schrittwieser, S. Lindskog, E. Weippl:
"Spoiled Onions: Exposing Malicious Tor Exit Relays";
Vortrag: Privacy Enhancing Technologies Symposium (PETS), Amsterdam, Netherlands; 16.07.2014 - 18.07.2014; in:"Privacy Enhancing Technologies Symposium", (2014).

[ Publication Database ]


Tor exit relays are operated by volunteers and together push
more than 1 GiB/s of network traffic. By design, these volunteers are able to inspect and modify the anonymized network traffic. In this paper, we seek to expose such malicious exit relays and document their actions.
First, we monitored the Tor network after developing two fast and modular exit relay scanners-one for credential sniffing and one for active MitM attacks. We implemented several scanning modules for detecting common attacks and used them to probe all exit relays over a period of several months. We discovered numerous malicious exit relays engaging in a multitude of different attacks. To reduce the attack surface users are exposed to, we patched Torbutton, an existing browser extension and part of the Tor Browser Bundle, to fetch and compare suspicious X.509 certificates over independent Tor circuits. Our work makes it possible to continuously and systematically monitor Tor exit relays. We are able to
detect and thwart many man-in-the-middle attacks, thereby making the
network safer for its users. All our source code is available under a free license.