Has anybody responded to this claim yet? http://s7kgnncq3zbe3yza.onion/windex.shtml#mitm
I don't understand how such an attack would be possible without decrypting the traffic, unless this is actually a phishing-and-proxy attack and not a "true" MiTM. (How would an MiTM be able to manipulate traffic from a hidden service without decrypting the contents? I was under the impression that http request to hidden services should be end to end encrypted.) Either way, still worth taking note of. R via Onion Soup: *05/03/14 - 06/26/14 * > > * For a period of 3 weeks, a Man in The Middle Attack has pervaded > onionland. To date, over 400 .onion domains are known to have been > targeted. The attack consists of at least one person creating new .onion > addresses, cloning websites "on-the-fly" and re-writing the original sites' > contents. The attacker can re-write any text on an original page to a > "cloned" page - in real time. The primary intent appears to be BitCoin > theft. Once a BitCoin ID is re-written to one of the attacker's IDs, > unwitting customers send BitCoin to his ID, instead of the intended party. * > > * Even though BitCoin theft may be the object - with non-market sites > cloned, a site's reputation can be ruined, connections hi-jacked and > legitimate traffic diverted from the original site. * > > * The problems with these attacks are: (1) they are consuming the > resources of .onion hosters by the attacker's cloning re-directs (2) they > are diverting visitors via altered hyper-links to the fake sites and (3) > BitCoin fraud is being committed. * > > * Below is what a HEAD request for a cloned site returned after called > from the onion sniffer app > <http://s7kgnncq3zbe3yza.onion/windex.shtml#sniff>. See the bolded "302" > re-direct (to the original site) and "PHPSESSID" in the "Set-Cookie:" > header? * > > > * Connection to 42w2zwtwxqbhexsm.onion 80 port [tcp/www] succeeded! * > > * HTTP/1.1 302 Found * > > * Date: Sat, 03 May 2014 18:28:08 GMT * > > * Server: Apache/2.4.9 (Fedora) PHP/5.5.11 * > > * X-Powered-By: PHP/5.5.11 * > > * Set-Cookie: PHPSESSID=dqqct52sp913aq0tcokhef2lr1; path=/ * > > * Expires: Thu, 19 Nov 1981 08:52:00 GMT * > > * Cache-Control: no-store, no-cache, must-revalidate, post-check=0, > pre-check=0 * > > * Pragma: no-cache * > > * Location: http://n6pbizsbykwxmydz.onion/ > <http://n6pbizsbykwxmydz.onion/> * > > * Connection: close * > * Content-Type: text/html; charset=UTF-8 * > > * The only known means of blocking this attack is to match the specific > cookie or the generalized "path" statement in the "Set-Cookie:" header > field. With lighttpd, a rule can be created (in lighttpd.conf) to deny > access to the attacker's attempts to clone the original pages by > re-directs. * > > > > * $HTTP["cookie"] =~ "PHPSESSID" { url.access-deny = ( "" ) } * > *However, the first cookie makes it through; that is, on the first pass, a > browser can access the fake site, but a subsequent hit on any page of the > fake site is blocked, and a "403 - Forbidden" error thrown up. To force a > 403 immediately* > > *after the first page loads, the webpage can be refreshed to a new page. * > > *Update: the cloner no longer sends the PHPSESSID cookie. An NID (session) > cookie is currently (06/26/14) being transmitted. [1 > <http://s7kgnncq3zbe3yza.onion/windex.shtml#cook>] To block it, use the > following rule, or - to thwart his future, cookie plans use the more > generalized path rule [2 <http://s7kgnncq3zbe3yza.onion/windex.shtml#path>] > - along with refreshing the page: * > > > > * $HTTP["cookie"] =~ "NID" { url.access-deny = ( "" ) } * > > * Copy index.html to sindex.html. Place the following between the <head> > and </head> of index.html. * > > * <meta http-equiv="refresh" content="0; url=sindex.html"> * > > * Finally, the attacker's script cannot parse ascii code. The first (or > any other) letter of a site's hostname can be substituted for - by its > ascii equivalent <http://www.asciitable.com>. The warning notice should > consist of ascii code and text (which is rendered by the browser as text). > To warn visitors of a site that connection hi-jacking attempts abound on > the darknet and to identify your site as the original, a warning - > containing something to the effect below and anchored to the head of the > index page - should be adopted; The cloner cannot alter ascii on-the-fly, > and anyone visiting the fake site can detect the hi-jacked connection - by > merely inspecting the warning. * > > *WARNING: connection hi-jacking attacks are rampant in onionland. This > site's hostname is s7kgnncq3zbe3yza.onion. Look at the navigation bar. If > you see any other hostname, leave immediately! * > > > *notes * *(1) Here's what Chrome reports about the NID cookie: * > > > > > > > > > * Name: NID Content: jcf27o21sdhok7fga77g0cmk42 Domain: > 42w2zwtwxqbhexsm.onion Path: / Send for: Any kind of connection Accessible > to script: Yes Created: Friday, June 27, 2014 3:03:04 AM Expires: When the > browsing session ends * > > * The Lighttpd rule blocks the cookie. The "Expires:" line explains why a > 403 is thrown up when a page is loaded and refreshed (or any other page on > the site is visited) - AFTER the browser is closed and re-opened. Below is > the header from the cloner's most recent arrangement. Notice: the different > Server, cookie and Location. * > > > * Connection to 42w2zwtwxqbhexsm.onion 80 port [tcp/www] succeeded! * > > * HTTP/1.1 302 Moved Temporarily * > > *Server: nginx * > > * Date: Sat, 28 Jun 2014 07:57:04 GMT * > > * Content-Type: text/html * > > * Connection: close * > > *Set-Cookie: NID=h3fr5ohquqdqnnnmcgjhuhdfd6; path=/ * > > * Expires: Thu, 19 Nov 1981 08:52:00 GMT * > > * Cache-Control: no-store, no-cache, must-revalidate, post-check=0, > pre-check=0 * > > * Pragma: no-cache * > *Location: http://kpvz7ki2lzvnwve7.onion <http://kpvz7ki2lzvnwve7.onion>* > *(2) The alternate (more generalized) blocking rule matches a different > portion of the cookie field ("path"), then it denies access to the clone > site. N.B., this rule will block all sites from sending cookies through > your server. * > > > > * $HTTP["cookie"] =~ "path" { url.access-deny = ( "" ) } * > -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
