September 30, 2020

TOR under SSL Stripping attack

3 min read

Onion routing that pursues anonymity sometimes does not guarantee anonymity, and it may also cause security problems if it is maliciously used by an attacker.

For example, some researchers recently discovered that hacker groups used SSL stripping attacks to steal Bitcoin. In fact, the whole process is not too difficult to operate.

What is the relationship between SSL stripping attacks and Bitcoin stealing? In fact, the ever-changing attack methods that attackers can think of in the hacker world are of course all for money.

Stripping attack is a term in the security industry. SSL refers to the secure socket layer used to encrypt network transmissions to prevent illegal transmission of plain text.

Tor Browser

In theory, the security of encrypted traffic is relatively high. It is difficult to decrypt the encrypted traffic directly, so it is difficult to attack.

Since it is very difficult to steal and decrypt encrypted traffic, is there no way to attack? Obviously not, so the hacker community came up with SSL stripping attacks to downgrade.

A stripping attack refers to stripping the SSL encryption layer from the content. After successful stripping, the encrypted traffic actually becomes plaintext traffic, so it is very simple to attack.

The stripping attack originally had nothing to do with the theft of bitcoins, but in this attack, the hacker stripped the user’s bitcoin traffic into plaintext.

Specifically, some users send their bitcoins to certain currency mixing websites, making it difficult to identify the source and users of their bitcoins to achieve the purpose of anonymity.

Although hackers cannot directly tamper with the wallet address of the mixed currency website, hackers use stripping technology to tamper with the wallet address in the plaintext traffic to deceive users.

In other words, the wallet address that users see when they open some currency mixing websites is actually an address that has been modified by hackers because the traffic has been tampered with before reaching the user.

However, the user is not clear about this kind of thing, so the bitcoin is sent to the corresponding wallet address, so these digital currency assets of the user finally reach the hacker wallet.

Some digital currency holders pursue anonymity and therefore use Tor. However, the Tor exit nodes are essentially shared by users all over the world.

The hacker group controls 23.95% of the Tor exit nodes. These nodes are malicious nodes of the hacker group, but the nodes will be used by many users.

When a user uses a malicious node controlled by a hacker group, the hacker group can actually directly control and manipulate the content that the user sees with the help of SSL stripping technology.

The hacker group launched this attack using the feature that Tor nodes can be manipulated, and the control of 23.95% of the Tor exit nodes has broken the previous attack record.

It is not uncommon to use SSL stripping technology to downgrade HTTPS to HTTP, but it is not unusual for hackers to be able to control such a large-scale node to launch an attack.

Of course, this also shows that Tor is not a panacea for some users’ anonymity, and may even leak more privacy content of these users seeking anonymity.

Via: ZDNet