[LINK] "Russian Spy Nodes Caught Snooping on Facebook Users"
Wired News' Kevin Poulson reports on something that doesn't surprise me, a survivor of Russia-originating DDoS attacks on Livejournal: a Russian server network is surveilling Facebook users. (It's likely an individual, they conclude.)
Philipp Winter and Stefan Lindskog of Karlstad University in Sweden identified 25 nodes that tampered with web traffic, stripped out encryption, or censored sites. Some of the faulty nodes likely resulted from configuration mistakes or ISP issues. But 19 of the nodes were caught using the same bogus crypto certificate to perform man-in-the-middle attacks on users, decrypting and re-encrypting traffic on the fly.
At times the evil nodes were programmed to intercept only traffic to particular sites, like Facebook, perhaps to reduce the chances of detection.
“These are the ones that we actually found,” says Winter. “But there might be some more that we didn’t find.”
Tor is free software that lets you surf the web anonymously. It achieves that by accepting connections from the public internet - the “clearnet” - encrypting the traffic and bouncing it through a winding series of computers before dumping it back on the web through any of over 1,000 “exit nodes.”
Traffic is safe from interception in the middle of that tangle of routing. But when it hits the exit node it’s unavoidably vulnerable to spying, the same way a postcard is intrinsically vulnerable to a snooping mailroom clerk.
[. . .]
The new study looked at exit nodes that were going beyond passive eavesdropping on unencrypted web traffic and were taking steps to actively spy on SSL-encrypted traffic. By checking the digital certificates used over Tor connections against the certificates used in direct clearnet sessions, researchers found several exit nodes in Russia that were clearly staging man-in-the-middle attacks. The Russian nodes were re-encrypting the traffic with their own self-signed digital certificate issued to the made-up entity “Main Authority.”
Philipp Winter and Stefan Lindskog of Karlstad University in Sweden identified 25 nodes that tampered with web traffic, stripped out encryption, or censored sites. Some of the faulty nodes likely resulted from configuration mistakes or ISP issues. But 19 of the nodes were caught using the same bogus crypto certificate to perform man-in-the-middle attacks on users, decrypting and re-encrypting traffic on the fly.
At times the evil nodes were programmed to intercept only traffic to particular sites, like Facebook, perhaps to reduce the chances of detection.
“These are the ones that we actually found,” says Winter. “But there might be some more that we didn’t find.”
Tor is free software that lets you surf the web anonymously. It achieves that by accepting connections from the public internet - the “clearnet” - encrypting the traffic and bouncing it through a winding series of computers before dumping it back on the web through any of over 1,000 “exit nodes.”
Traffic is safe from interception in the middle of that tangle of routing. But when it hits the exit node it’s unavoidably vulnerable to spying, the same way a postcard is intrinsically vulnerable to a snooping mailroom clerk.
[. . .]
The new study looked at exit nodes that were going beyond passive eavesdropping on unencrypted web traffic and were taking steps to actively spy on SSL-encrypted traffic. By checking the digital certificates used over Tor connections against the certificates used in direct clearnet sessions, researchers found several exit nodes in Russia that were clearly staging man-in-the-middle attacks. The Russian nodes were re-encrypting the traffic with their own self-signed digital certificate issued to the made-up entity “Main Authority.”