Spoiled Onions: Exposing Malicious Tor Exit Relays

Report, Preprint English OPEN
Winter, Philipp ; Lindskog, Stefan (2014)
  • Publisher: Karlstads universitet, Institutionen för matematik och datavetenskap
  • Subject: tor | mitm | Computer Systems | Datorsystem | analysis | measurement | Computer Science - Cryptography and Security

Several hundred Tor exit relays together push more than 1 GiB/s of network traffic. However, it is easy for exit relays to snoop and tamper with anonymised network traffic and as all relays are run by independent volunteers, not all of them are innocuous. In this paper, we seek to expose malicious exit relays and document their actions. First, we monitored the Tor network after developing a fast and modular exit relay scanner. We implemented several scanning modules for detecting common attacks and used them to probe all exit relays over a period of four months. We discovered numerous malicious exit relays engaging in different attacks. To reduce the attack surface users are exposed to, we further discuss the design and implementation of a browser extension patch which fetches and compares suspicious X.509 certificates over independent Tor circuits. Our work makes it possible to continuously monitor Tor exit relays. We are able to detect and thwart many man-in-the-middle attacks which makes the network safer for its users. All our code is available under a free license.
  • References (47)
    47 references, page 1 of 5

    Alexa. The top 500 sites on the web. 2013. URL: http://www.alexa.com/topsites.

    Daniel J. Bernstein. “Curve25519: new Diffie-Hellman speed records”. In: Public Key Cryptography. Springer, 2006. URL: http: //cr.yp.to/ecdh/curve25519-20060209.pdf.

    [3] Sambuddho Chakravarty et al. “Detecting Traffic

    Springer, 2011. URL: http://www.cs.columbia.


    Roger Dingledine. Re: Holy shit I caught 1. 2006.

    URL: http://archives.seul.org/or/talk/Aug2006/msg00262.html.

    Roger Dingledine, Nick Mathewson, and Paul Syverson. “Tor: The Second-Generation Onion Router”. In: USENIX Security. USENIX Association, 2004. URL: http://static.usenix.org/event/sec04/tech/full_ papers/dingledine/dingledine.pdf.

    [1] [2] [4] [5] [6] [7] [8] Electronic Frontier Foundation. HTTPS

    Everywhere. 2013. URL:

  • Software (1)
  • Metrics
    No metrics available
Share - Bookmark