a story about a huge malicious tor exit operation:
Blog: "How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
>23% of the Tor network’s exit capacity has been attacking Tor users"
Another major tor exit relay operator (running 65 tor exit relays) implemented the verified url field of the contactinfo spec to help fight false-friends and operator impersonation attacks:
>25% of tor's exit capacity has joined this effort so far:
Reminder: tor 0.4.4 reached end of life on 2021-06-15.
Over 1000 relays and about 20% of the network capacity runs an unsupported version of tor.
Upgrade your tor relays for a more resilient tor network.
I'm wondering why just some and not all of these tor exit relays got the badexit flag
someone sent me this:
the Security Now podcast features the blog posts about malicious tor exit relay activities
(starting at 41min30)
Do not take this as an endorsement. I do not share their opinion wrt to VPN.
With the release of today's blogpost come also new OrNetStats graphs and I'm particularly excited to see more operators set a non-spoofable ContactInfo - shown on this graph:
I've been following this malicious Tor exit relay group for a while now.
Here is an update about them:
The Tor network has seen over 1000 new exit relays at OVH. Not that kind of relays that you want to use.
do you know why the webserver at
does not set the content-length HTTP header?
website to generate contactInfo string:
Want to help unmasking malicious tor relays that perform impersonation attacks?
use a non-spoofable contactinfo on your tor relay:
1) add the protected fields to your torrc ContactInfo:
"url:<your domain> proof:uri-rsa ciissversion:2"
2) publish your set of relay fingerprints under https:// your domain/.well-known/tor-relay/rsa-fingerprint.txt
Don't have a domain? use github pages or similar instead.
Thanks to over 320 tor relays for using non-spoofable contactInfos already.
relayor - the ansible role for Tor relay operators - v21.0.0 is released.
This release solves the expired debian GPG key.
There are already over 20 Tor relay operators (>200 relays, > 10% exit capacity) that make use of the
tor ContactInfo information sharing specification (CIISS) to get some group wide graphs generated for their relays:
Bellow is shown a sample graph by one of them:
I'm happy to announce version 2 of the Tor ContactInfo Information Sharing Specification.
It comes with an easy to use ContactInfo generator, which is maintained by Eran Sandler:
relayor v20.1.0 is released.
It contains a bugfix, for corner cases where the new tor configuration would not be used.
relayor users are encouraged to update to this release.
* bugfix: restart tor instead of reloading it when configuration changed (reloading is not supported by tor in all cases)
* make tor_ContactInfo variable mandatory
* update tor alpha version: 0.4.3 -> 0.4.4
* add support for FreeBSD 11.4
* increase min. ansible version to 2.9.12
Since the Tor directory authorities are no longer removing such relay groups and I feel bad about sitting on this list without doing anything with it I'm posting it here for your information.
This is a set of over 600 Tor relays that got added since 2020-01-29 on a limited set of hosters (primarily at Microsoft).
They have some similarities in their sign-up pattern and properties.
total guard probability: 3.6%
total middle probability: 10.1%
(no exit relays)
This time the malicious Tor relays (same entity) got caught intercepting traffic to changenow.io
In my recent blog post I mentioned that the Tor network attacker likely still runs >10% of the networks exit capacity.
Some of of them got confirmed yesterday and their actual fraction was likely even bigger than ">10%" at the time.
Two weeks ago they didn't exist, today they are by far the biggest guard relay operator on the Tor network.
Yet another OVH-based no-name relay group:
The Tor network is changing these days, changing fast.