I didn't realize this was ever in question - of course you can't trust Tor exit nodes not to snoop on your traffic. You can't trust your ISP or friendly local intelligence agency not to snoop on your traffic either; this is why end-to-end authentication and encryption is a useful thing. (Not meant as a criticism of Chloe's research, it's certainly valuable data).
exactly, I'd actually argue that Tor exit nodes are, on average, more likely to be untrustworthy than a standard ISP connection, as the incentives are there for people to run them to capture exactly the kind of traffic people want to remain secret, and Tor exit node + root CA certificate is a great model for government level attackers to hoover up data which is likely to be sensitive.
To analyze if ISP's are more likely to be malicious than Tor exit node, you need to list all the number of attacks and determine which is more likely.
An ISP employee know whom either side of an connection are and can pick and chose targets in a very selective way. As gate keepers they can also be influenced by outsiders to target specific users and attack them. They are however likely to get caught if they do noticeable attacks and risks their job if its unsanctioned, and risk the companies reputation if it is sanctioned.
A Tor operator can not see whom is doing the connection, but they are slightly less likely to get caught if they do try to attack users. They are also only going to lose the nodes ip address reputation if they are caught attacking users.
Third is the backbone networks that unlike the ISP level has great incentives for government level attackers to collect whole nations/continents amount of data. The risk that they are found out is almost zero, and if they are they can still deny it.
All in all, I would summarize in such a way that ISP's has the greater risk of active attacks by both criminal actors and government level actors, backbone networks for passive attacks by government level actors, and tor nodes for passive attacks by criminal actors. In order to protect against all three you got to use end-to-end encryption as the primary security technique and adding tor helps then against meta data attacks.
Heck, my cellular provider was tracking the HTTP connections of their customers by default to sell profiles to marketing companies. (You could opt out, but I believe the fine print was something along the lines of 'we won't sell your information anymore but we will still collect it for later'). Other Internet providers have offered a cheaper plan to opt-in to traffic snooping for marketing profile building/selling. Tor exit nodes and my residential ISPs are on a similar level of distrust for me.
I've since started using 'whole premises VPN' (all traffic is routed through an encrypted tunnel to a VPS) - I have more confidence in my VPS provider than I do in my residential ISPs. At least the VPS company probably won't use my connection data for marketing profiles..
Tor also has extensive documentation about the threat model they protect against, and the limitations of that model.
If there were one thing I could change about security discussions, it's that you can't talk about security in the abstract -- only security relative to some threat or foe.
I think a lot of the conversation would change if we could get people to start talking about security that way.
> Amongst his unwitting victims were the Australia, Japanese, Iranian, India and Russia embassies, the Iranian Foreign Ministry, the Indian Ministry of Defence and the Dalai Lama's liaison office.
> He concluded that people were using Tor in the mistaken belief that it was an end-to-end encryption tool.
No. Dan snooped on attackers hacking the email of the Australia, Japanese, Iranian, India and Russia embassies, the Iranian Foreign Ministry, the Indian Ministry of Defence and the Dalai Lama's liaison office.
The apparently bad exits are listed there, with links to Globe (Tor's relay database). So you can exclude them if you like, in Tor's config file (torrc).
Also, the Tor Project apparently hasn't responded to Chloe's report.[0] But I just saw a question about it on tor-talk.
Edit: The nickname of the first exit in her list is "Hackosaurusrex" ;)
Circa 2009, while attending graduate school at the University of Minnesota, I was a student of Dr. Nick Hopper, whose CS research team were intensely focused on ways to deanonymize TOR traffic using an impressive variety of techniques. One that stood out was using statistical analysis of netflow to correlate browsing patterns. Considering that last-mile bandwidth providers also gather netflow and often provide flow data to three letter agencies, being able to map flows from known exit nodes to last mile service providers isn't rocket surgery. After an early initial exposure to some of their research, I never placed any trust in TOR. I still have a quote from Dr. Hopper on my laptop login screen, to serve as a reminder: "The problem with privacy on the Internet is that people believe it exists."
Tor specifically doesn't resist pervasive flow monitoring, and their lack of being able to resist that attack is discussed thoroughly in the documentation, at least twice (both general usage and in the threat models section).
The attack you say stands out is literally just implementing the most obvious thing that Tor explicitly doesn't defend against. It's just a demonstration that Tor's threat model is accurate, and not a weakness in Tor that people were unaware of.
The you had a knee jerk reaction to not use Tor for what it's good at when you realized it can't do everything is the all-or-nothing, it must be perfect mentality that is the enemy of good.
It's people like you, with your all-or-nothing extremism that undermine reasonable discussions about partial steps we could take.
> Can you trust a 3rd party to handle your insecure connections?
It's totally possible to setup websites where you, as the user, don't have to worry about this at all. Even sslstriping can be mitigated if the operators of the website know what they're doing.
Passive monitoring? Use https.
Upgrades to https getting prevented? Submit your site to the hsts preload list[0]
The HSTS site you link to says:
> Submissions to the preload list are not automatic nor assured. All submissions undergo a manual review that may take one to several weeks.
It does not surprise me, bundling a list of all the sites wanting SSL-only with the browser can't possibly scale. I would expect that this is only possible for the most popular websites, that have enough clout to get included.
So for normal people, no, it sounds like it's not really possible to do this.
You can send the HSTS header, and the browser will refuse to connect over http again. Then you can only be downgraded the first time. The list is just for the first visits.
moxie gave a talk at blackhat 2009 where he admitted to trying sslstrip on a tor exit node he was running for a short period. He did state that he didn't log the data, he was only doing it for social engineering analysis.
No, that's why you should only browse https websites when using TOR.
TOR doesn't provide encryption of your data. It just doesn't allow any listener to guess who is visiting what websites since they can't correlate the source to the destination.
The problem with the article approach is that it's only gonna attract small players. What you could do is signing up in a relevant website using high target's looking credentials. For example signing up in some http wikileak page using fake julian assange's credential.
What could be cool is to somehow leak your fake credential while logging into gmail (and I don't know how to do that since they use https only) and then check what IPs connected to that gmail from the gmail settings.
"Eventually your network traffic leaves Tor's safe embrace via an exit node" Not necessarily. Tor has an internal only network of websites that do not have this vulnerability.
> "Tor is ... used to access anonymous, hidden services (the so-called Dark Web) but, more commonly, used as a way to access the regular internet anonymously and in a way that's resistant to surveillance."
I don't know if presently possible, but you could edit torrc config file to choose any exit nodes you want, including private exit nodes you set up yourself following the torservers.net guide. Haven't used tor in a while but the browser bundle directory torrc file is/was freely editable.
