What the "Spoiled Onions" paper means for Tor users

by phw | January 24, 2014

Together with Stefan, I recently published the paper "Spoiled Onions: Exposing Malicious Tor Exit Relays". The paper only discusses our results and how we obtained them and we don't talk a lot about the implications for Tor users. This blog post should fill that gap.

First, it's important to understand that 25 relays in four months isn't a lot. It is ultimately a very small fraction of the Tor network. Also, it doesn't mean that 25 out of 1,000 relays are malicious or misconfigured (we weren't very clear on that in the paper). We have yet to calculate the churn rate of exit relays which is the rate at which relays join and leave the network. 1,000 is really just the approximate number of exit relays at any given point in time. So the actual number of exit relays we ended up testing in four months is certainly higher than that. As a user, that means that you will not see many malicious relays "in the wild".

Second, Tor clients select relays in their circuits based on the bandwidth they are contributing to the network. Faster relays see more traffic than slower relays which balances the load in the Tor network. Many of the malicious exit relays contributed relatively little bandwidth to the Tor network which makes them quite unlikely to be chosen as relay in a circuit.

Third, even if your traffic is going through a malicious exit relay, it doesn't mean that everything is lost. Many of the attacks we discovered still caused Firefox' infamous "about:certerror" warning page. As a vigilant user, you would notice that something isn't quite right and hopefully leave the site. In addition, TorBrowser ships with HTTPS-Everywhere which by default attempts to connect to some sites over HTTPS even though you just typed "http://". After all, as we said in the past, "Plaintext over Tor is still plaintext".

Finally, we want to point out that all of these attacks are of course not limited to the Tor network. You face the very same risks when you are connecting to any public WiFi network. One of the fundamental problems is the broken CA system. Do you actually know all the ~50 organisation who you implicitly trust when you start your Firefox, Chrome, or TorBrowser? Making the CA system more secure is a very challenging task for the entire Internet and not just the Tor network.


Please note that the comment area below has been archived.

January 21, 2014


I wish to thank the writer of this post.

You wrote: Many of the attacks we discovered still caused Firefox' infamous "about:certerror" warning page. As a vigilant user, you would notice that something isn't quite right and hopefully leave the site.

It would be good if there is a detailed description in non-geek language of the possible scenarios under which Tor can be compromised and what Tor users can do to mitigate those attacks. I find the current write-up not detailed enough for non-IT, non-geek Tor users like me.

In essence, that means that all security best practice you already know from Firefox or Chrome also applies to TorBrowser. In particular, I'm referring to Firefox' warning page you might see every now and then. It says something along the lines of "This Connection is Untrusted" or "This is not the site you are looking for". These warning pages should tell users that the connection to the site isn't quite right. When you are using TorBrowser, you could try clicking on the onion at the top left and then click on "New Identity". Afterwards, you could try refreshing the web site where the warning happened.

The important thing to remember is: if that happens when you go to Facebook, Twitter, or your favourite web site, you really shouldn't ignore the warning and try to log in. Otherwise, somebody might have just gotten your password.

Bookmarks -> Bookmark All Tabs

Then go to that bookmark folder and Open All in Tabs. (Then go to Show All Bookmarks to delete that folder when you're done with it.

Of course not having all the tabs close would be preferable.

January 22, 2014


The stupid onion icon isn;t appearing in my task bar and I can;t find any instructions on where to find a solution to this problem. There isn;t even a obvious trouble shooting guide on the tor website. What gives?

No green onion icon, no Tor. You did something horribly wrong, or you have crud on your pc messing it up, which amounts to the same thing. You are not protected. You should change your identity every once in a while no matter what. So, figure out what you did wrong, or reinstall your operating system from scratch and re download tor and start fresh. It depends on how important anonymity is to you, IMHO. It's a pretty easy and clean thing to do, installing and running the Tor bundle. Troubleshooting this is meaningless.

January 22, 2014


Why cant i access onion sites as of a couple of days?
Do you have some kind of maintenance or should i look on my settings?

> Do you have some kind of maintenance or should i look on my settings?
There's no such thing as a maintenance of the Tor network (afaik).
The network JustWerks© basically all the time.

January 22, 2014


I am wondering if there is there an official "Tor Check" hidden service, or only the clearnet version?

I think that behavior might be bad for your anonymity -- first because you're allocating streams to circuits in a different way than everybody else ("oh hey, there's that guy who only gives me one stream again"), and second because using more circuits can actually harm your anonymity in many cases.

You might enjoy
to read about the many issues here.

January 24, 2014


So i am having this problem for the 7th consecutive day.I cannot access any .onion sites neither the hidden wiki.
I uninstalled the browser and installed it again with the same result.
Is the problem with my internet provider?It has not happened in the past and this kind of problem.I am typing this from the Tor browser and it works perfectly fine on non .onion sites.I really need help.

January 24, 2014


Help me please i cannot access any .onion sites(other than the official tor page(http://idnxcnkne4qt76tg.onion/) as i mentioned for about 10 days now.

I cannot access the hidden wiki.I changed the setting so that tor connects though a bridge , but this still does not help.Should i use a proxy and then try again?I doubt it will change anything.Do you have the same problem guys?Can you access kpvz7ki2v5agwt35.onion.to/wiki/ ?

Please i need assistance sorry for double posting.

It is down and has been for a few days or weeks. But THW has a history of going down and up and down and up. Let's just hope it doesn't take too long to resurface this time. If it really is gone *forever*, there's plenty of exact mirrors, and the hardest part will simply be getting people to agree where to host the new hidden wiki (so all edits stay in sync).

January 25, 2014


Tor without vidalia is a bad thing.
With vidalia I can change all time user identity without change page.
Without vidalia return in fisrt home page.
Tor home page now sucks appearence with that bullsh1t uggly search toolbar in middle.
I hate you changes appearence.

Where tor bundle 0.21 or 0.23 with vidalia for download? I need that control panel back.

Bad changes, man!

I find tor ; ]
Work fine!
But I have 3.5 too for replace the missing flash player plugin (prefs) if necessary. since tor 3.5 is mandatory now flash plugin (11.9.900.170) misteriously delete yourself from version of tor.

tor without vidalia is actually a good thing, at least for anyone who modifies his torrc
file. The last several times I tried vidalia, it insisted upon overwriting my torrc with its
own idea of a configuration, thereby wiping out all of my configuration. vidalia
overwrote torrc upon startup before I even had an opportunity to tell it to do
anything.The only way I found that would stop that nasty misbehavior was to
use chflags(1) to make the file immutable, a rather extreme resort that also prevented
me from changing torrc as long as that flag were set. So I abandoned vidalia as
completely unusable.
arm, OTOH, does not overwrite torrc, provided one is careful not to use arm to make
configuration changes. Its numerous bugs are all tolerable in that they seem to result
only in failure to give me information that I want, rather than committing atrocities upon
my torrc file.

January 25, 2014


@On January 25th, 2014 Anonymous

Did you know that you can change identity by simple console command?

Linux (root):
# pidof tor | xargs kill -HUP


Open control port, write a simple .bat file to send to this port command like "NYM"

I've never like vidalie, ugly design, world map is too nursery. 5 buttons about what? NYM, log, nothing ! And no progress for more than 5 year.

Look at arm https://github.com/katmagic/arm better.


January 26, 2014

In reply to arma


I am wrong! In src/or/main.c in do_hup() it does
> /* Rotate away from the old dirty circuits. This has to be done
> * after we've read the new options, but before we start using
> * circuits for directory fetches. */
> circuit_expire_all_dirty_circs();

So, carry on. Sorry for the confusion.

January 25, 2014


Vidalia is available as a separate download if you care to look for it in the FAQ's of the latest Tor Project. And have you no manners?

January 25, 2014


Tor-Arm anyone?

Maybe learning how a non-clicky-clicky UI works is inconvenient, as well as changing the default home page being far too difficult. Much easier to complain!

For those such people, who would likely use Microsoft's subjugating OS, here [1] is the old clicky-clicky Vidalia, kindly built and maintained by Erinn Clarke. (Which took all of three seconds to find on tor-talk [2] mailing list!)



January 27, 2014


What I'm worriying most is the fingerprint, a large group of information Firefox sends to the website, for example the names of plugins, extensions, tabnames, tab numbers, when you combine them, you can be very unic and it's like your fingerprint. I hope there is a tool can change the fingerprint randomly and easily