70 bad exit nodes used in attack against Tor-based SIGAINT
Darknet email service SIGAINT, which aims to provide email privacy to journalists, has been targeted by unknown attackers using at least 70 bad exit nodes, the service’s administrator has shared on the tor-talk mailing list on Thursday.
“The attacker had been trying various exploits against our infrastructure over the past few months. Our exploit mitigations have been sounding various alarms. We are confident that they didn’t get in,” the admin noted. “It looks like they resorted to rewriting the .onion URL located on sigaint.org to one of theirs so they could MITM logins and spy in real-time.”
He noted that the attacker was apparently not after passwords, although they likely have compromised some.
“I think we are being targeted by some agency here. That’s a lot of exit nodes,” he commented, but added that implementing SSL on sigaint.org is not a definitive solution in that particular case, as state-actors usually have the possibility of creating a rogue certificate to use in their MITM efforts through a certificate authority they “own.”
The bad nodes have been added to the BadExit list shortly, so the good news is that they won’t be used again.
Roger Dingledine, head of the Tor Project, and Seth Schoen, senior staff technologist at the Electronic Frontier Foundation, commented that implementing SSL on sigaint.org is a good idea, and that it could be a great way of identifying bad certificate authorities.
Further discussion revealed that at that moment, these bad nodes represented around 6 percent of the total number of nodes, and there was a 2.7 percent chance they would be used as exits.
“Almost all of them were younger than one month and they seem to have joined the network in small batches,” noted Philipp Winter, a researcher who deals with Tor network censorship attempts. The bad nodes have been tied to nine different hosting services.
“We have been coordinating with the Tor Project and the issue is largely solved,” a person seemingly involved with the project said on Reddit. “What surprised us was the extent to which SIGAINT was targeted. Some questions still remain. Expect more news soon.”