"The slapshot nature of how sites were seized suggests that rather than starting with an onion address and then discovering the host server to seize, this campaign simply vacuumed up a large number of onion websites by targeting specific hosting companies. We have tracked down the hosting companies affected and the details will be published in a follow-up."
Very interested to see the list of hosting companies that were targeted.
It is the reason why we're asking for administrators of sites that were seized or those at hosting companies to come forward.
Have already spoken to a number of people and got a full list of the hosts involved, but we need a secondary confirmation, or details we can make public, on some of sites and hosts.
Looking at what the seized sites had in common, in terms of host, configuration, etc. narrows down the methods that might have been used to uncover the hidden sites and provides a clearer picture of what went on.
The most interesting question to me would be, does this means that the server administrators now have a "get out of jail free card" due to the "fruit of the poisoned tree" doctrine or similar?
Hosting a hidden service by itself does not mean doing something illegal, even Facebook hosts a hidden service nowadays. The only valid justification for the seizure would be if they had traced an illegal hidden service to that host, but from what I have read this seizure sounds too indiscriminate for that to be the case (IIRC even some pure relays, which don't host anything at all, were seized).
The most interesting question to me would be, does this means that the server administrators now have a "get out of jail free card" due to the "fruit of the poisoned tree" doctrine or similar?
That would require the defendant's rights to have been violated. I'm no doctor of law, but even if they were slipshod enough to violate rights in investigation regarding the datacenters, I'd be surprised if the defendants rights were the ones violated (3rd party doctrine and all).
I'll just leave it here. For years I've never had any issues with hetzner (having few dedicated boxes in different DCs). Few weeks prior to seizure there were suprisingly long downtimes in a few DCs due to "router issues", and then some with kind of "power outage?".
It is far fetched but if is anything close to truth I cannot imagine how US gov can influence company based in Germany so strongly that it would cost it a lot of reputation and lost clients.
Thinking over the protocol again I think TLS wasn't a great choice for Tor - not only because of SNI but other things like server certificates are also sent in cleartext during the handshake so it's easy to distinguish and just block all TLS traffic that uses self-signed or otherwise certificates not issued by the big CAs.
Something more like SSH, not relying on central CAs, would be less distinguishable - is it Tor traffic, or is it just someone accessing his/her server remotelly.
I would suggest impersonating other encrypted protocols with heavy traffic like encrypted BitTorrent or P2P Skype (is it still P2P or MS centralized it already?). On the other hand, systems administrators are frequently blocking BitTorrent and Skype traffic so the "TLS" traffic on port 443 has more chances to pass.
SNI is optional for clients only in theory. In practice, since there is no way of knowing whether a server needs the SNI hostname to select the correct server certificate, current browsers always send the SNI extension.
Therefore, since Tor tries to mimick common browsers and servers, it must always send a SNI extension.
>Therefore, since Tor tries to mimick common browsers and servers, it must always send a SNI extension.
Right, and since all browsers have no problem with plaintext http, TOR should be okay with it too. You know, to mimic traffic and stuff.
That's the most BS excuse I've ever heard. Sending the domain in the clear on TOR is completely inexcusable. But then, so is having JS enabled by default. Run, do not walk, RUN away from TOR.
The data Tor exchanges are fixed-size encrypted packets. If Tor used plaintext http, these encrypted packets would be visible, making it trivially distinguishable from a common browser or server. The TLS layer hides that difference; due to the TLS encryption, there's no difference between an HTML document, encrypted Tor packets, or a picture of a pony. Therefore, to mimic browser traffic, Tor has to use TLS.
I believe you might be a bit confused with respect to what's in the SNI extension; the domain sent in the clear on Tor connections is not the domain requested by the browser, it is a completely unrelated randomly-generated domain name. Also, even without SNI the same can be found on the opposite direction: the certificate sent in the response also has a randomly-generated domain name.
My understanding of an SSL handshake goes a bit like this...
Everything after the https:// is encrypted. Client does a DNS lookup on the host, but the host name in the request is encrypted. The path is encrypted. The get parameters are encrypted. Everything is encrypted to the server in the request. Everything coming back from the server is encrypted as well.
Team SNI comes along and says, "But we don't really care about security! We want to host multiple domains on the same IP address! How will the server know where to direct the SSL request without the domains?"
And so, in the name of reusing an IP address, security is now compromised for the domain. It is sent outside the SSL request, in the clear.
It's not about "where to direct the SSL request". It's about selecting the correct server certificate.
The handshake goes something like this: the client opens the connection and sends several parameters (in the clear). The server replies with its parameters (in the clear) and its certificate (in the clear, and it includes the domain name). Both sides exchange the key to be used (encrypted), switch to encrypted mode, and verify the handshake.
Notice that, even without SNI, the hostname is already sent by the server, in the clear, within the certificate. That poses a chicken-and-egg dilemma: the hostname is sent to the server after the handshake is finished, but the server has to present the correct certificate before the handshake is finished. The solution was to send the hostname (and only the hostname) at the start of the handshake. It's no big deal because the certificate hostname is already visible in the next handshake step.
For Tor, it's no big issue: it just manufactures a random hostname and presents it. Tor would have to do it (in the certificate) even without SNI. When using Tor, this does not compromise the domains requested by the browser, since they are sent directly to the exits within the triple-encrypted tunnel; only the chosen exits can see them.
This is quite interesting. It's initially unclear exactly what the angle of this research is, but I think that reflects the uncertainty that still surrounds this operation.
Most notable to me was that the jihad-funding site was left up while its clone was taken down. Does that mean they couldn't locate the server, or that it's controlled by the FBI?
Most notable to me was that the jihad-funding site was left up while its clone was taken down. Does that mean they couldn't locate the server, or that it's controlled by the FBI?
I was wondering the same thing - and this line from the article too:
In a number of cases the FBI has seized the clone or scam version of a site while leaving up the real site.
Is it because all the clone/scam sites were hosted on the same set of servers, or do the FBI know where the real ones are already but are deliberately leaving it up (and just removing the fakes since they're presumably interfering with their surveillance)?
Well this is to be expected if they can force a hosting company to report when servers connect to public tor nodes for a considerable amount of traffic.
Privatoria.net is a service which provides secure communication, anonymous
surf and secure file sharing for individuals and business. All security
services are united together in Privatoria. It includes Secure VPN and
Anonymous Proxy, that enable surf anonymously, change IP, unblock sites,
Anonymous E-mail, Secure Chat, Secure Call, Secure Video Chat for secure
communications and Secure file sharing via FTP and Secure Data Storage.
No conflict of interest there at all in your badmouthing of Tor, with no corroborating evidence at all to boot.
Why do you trust any VPN provider? You're paying to push all of your information through a dubious looking service and just hoping that they don't tamper with your pipe. I trust my ISP (who actively poison my DNS lookups) more than I would any of these sort of services. It seems like an ideal sort of business to have more than just your direct income flowing in.
Honestly, it would run counter to the FBI's interest to not divulge flaws that invalidate the anonymity guarantees that tor provides. Tor was originally developed to mask the identity of USian spooks performing intelligence operations and will continue to be used in that role for the foreseeable future. [0]
Like any FBI spokesman would say, things that make it harder for law enforcement to engage in surreptitious observation of targets endanger us all.[1]
Very interested to see the list of hosting companies that were targeted.