Discussion:
[tor-talk] What happens when an .onion site is compromised?
j***@danwin1210.me
2018-12-06 20:33:22 UTC
Permalink
Imagine that an .onion site is compromised. This could be by the owner who
wishes to expose visitors or by the police who want to target the
clientele.

(I remember, in the later case, reading something on Deep Dot Web about
when the FBI took over a CP site and installed malware).

The goal is to acquire users' real IP addresses.

What would happen to a visitor if they visited a booby trapped .onion
site? The visitor would be using the current version of TBB. How would it
be possible for a visitor to be in danger?
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-
Nathaniel Suchy
2018-12-06 20:51:30 UTC
Permalink
If an onion site is compromised, you can serve the user malicious content and with a Tor Browser Vulnerability can harm it's users.

If your private key is compromised, your only recourse is to go create a new onion address.

We don't know what vulnerabilities exist in the current version of Tor Browser. If IP Leaks and zero day vulerabilites put you in physical danger, consider Tor Tails. It uses firewall rules to try and block non-tor traffic. It's not bulletproof but simple proxy bypasses are mitigated.

Regarding the "CP Site" that you mentioned, the thing is that if the pedophiles had been using an up to date version of Tor Browser or you know, not looking at child pornography on Windows (macOS / Linux builds were not targeted as far as we know), they would not of been caught and would have remained free.

Some lessons learned...
1) Keep Tor Browser up to date2) Don't do illegal things on Windows, it has more users and is easier to mass target the most criminals by focusing on Windows hosts
3) Maybe, just maybe, don't look at child pornography in the first place

Cordially,
Nathaniel Suchy
Post by j***@danwin1210.me
Imagine that an .onion site is compromised. This could be by the owner who
wishes to expose visitors or by the police who want to target the
clientele.
(I remember, in the later case, reading something on Deep Dot Web about
when the FBI took over a CP site and installed malware).
The goal is to acquire users' real IP addresses.
What would happen to a visitor if they visited a booby trapped .onion
site? The visitor would be using the current version of TBB. How would it
be possible for a visitor to be in danger?
--
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://l
Mirimir
2018-12-07 01:37:48 UTC
Permalink
Post by Nathaniel Suchy
If an onion site is compromised, you can serve the user malicious content and with a Tor Browser Vulnerability can harm it's users.
If your private key is compromised, your only recourse is to go create a new onion address.
We don't know what vulnerabilities exist in the current version of Tor Browser. If IP Leaks and zero day vulerabilites put you in physical danger, consider Tor Tails. It uses firewall rules to try and block non-tor traffic. It's not bulletproof but simple proxy bypasses are mitigated.
Whonix is arguably more bulletproof, in that the tor daemon and Tor
browser (along with many other apps) are on separate virtual machines,
which can be running in VirtualBox (easiest), KVM (harder) or Qubes
(arguably hardest).

So Tor browser and other userland apps can not reach the Internet except
via Tor. And for malware dropped in the Whonix workstation VM to mess
with the tor daemon, or reach the Internet, guest-to-host breakout is
required.

Also, Whonix gateway and workstation can be separate physical machines.
That makes breakout even harder. Not impossible, of course, but harder.
Post by Nathaniel Suchy
Regarding the "CP Site" that you mentioned, the thing is that if the pedophiles had been using an up to date version of Tor Browser or you know, not looking at child pornography on Windows (macOS / Linux builds were not targeted as far as we know), they would not of been caught and would have remained free.
Yeah, that was all Windows malware.
Post by Nathaniel Suchy
Some lessons learned...
1) Keep Tor Browser up to date2) Don't do illegal things on Windows, it has more users and is easier to mass target the most criminals by focusing on Windows hosts
3) Maybe, just maybe, don't look at child pornography in the first place
Cordially,
Nathaniel Suchy
Post by j***@danwin1210.me
Imagine that an .onion site is compromised. This could be by the owner who
wishes to expose visitors or by the police who want to target the
clientele.
(I remember, in the later case, reading something on Deep Dot Web about
when the FBI took over a CP site and installed malware).
The goal is to acquire users' real IP addresses.
What would happen to a visitor if they visited a booby trapped .onion
site? The visitor would be using the current version of TBB. How would it
be possible for a visitor to be in danger?
--
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.
grarpamp
2018-12-07 07:38:49 UTC
Permalink
Post by j***@danwin1210.me
Imagine that an .onion site is compromised. This could be by the owner who
wishes to expose visitors or by the police who want to target the
clientele.
How would it
be possible for a visitor to be in danger?
Other posts covered technical code exploits.

Other risks are trust changes... social engineering
users, cute quizzes to fill out, metadata analysis
that any formerly legit owner wasn't doing,
accounts popping up, etc, etc... typical psych
stuff that traps and users dox themselves.

A lot of that is covered on any of the onion forums,
even some /r/onions and deepdotweb, etc.
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/ma
Continue reading on narkive:
Loading...