By: Anon
Note* Anon exposes some disturbing issues concerning rouge developers working under the Tor umbrella. Can some of the security issues surrounding SSL be traced back to Tor development and developers.
An interesting bug report was filed on the Mozilla bug tracker in September. [1] It is titled ``Addons can silently disable certificate validation and alter errors that are presented to the user'' and names the Convergence Firefox plugin what it really is -- a spy tool.
But first, recall my expose of the EFF's Firefox plugin -- the Decentralized SSL Observatory. [2] This plugin was a joint effort by the EFF and the Tor Project, with Mike Perry as a developer. Another of the developers is Peter Eckersley who maintains the plugin's source code repository on Tor's servers. [3] The purpose of this plugin was to intercept all SSL certificates seen by the user's browser and secretly send them all back to EFF servers for `observation'. It was shown how all this was to be pushed to users' machines without their knowledge nor consent. I'll take this opportunity to remind the EFF -- as a legal entity in the United States -- of the possible implications of not reigning in their wannabe spy friends' behaviour.
This brings us to the Convergence Firefox plugin. [4] The author, `Moxie Marlinspike' (real name unknown) openly bragged in 2009 of intercepting Tor exit node traffic. [5] In fact, passive spying was not enough for `Moxie', he actively tampered with exit node traffic, specifically the SSL layer, removing any encryption which got in the way of his spying. This way, he was able to collect passwords and credit card numbers alike. Supposedly all this was to raise awareness of the insecurity of HTTPS. However, not only did Tor users remain oblivious to his actions -- the Tor Project kept mute -- so that they could perhaps modify their behaviour accordingly (like, say, not using Tor), but `Moxie' then went on to lecture cadets at West Point about his spying skills. [6] An anarchist security researcher wanting to raise awareness? Or a wannabe spy wanting a piece of the spy establishment's pie?
Back to that Mozilla bug. `Moxie' has been itching to push his plugin on ignorant users -- which, he openly brags, intercepts users' SSL certificates and distributes them to his network of servers (just like the EFF/Tor Project's Distributed SSL Observatory plugin). Seeing this, a Mozilla developer opened the bug to discuss how to protect users from these malicious plugins. The reply from `Moxie', apart from flames on Twitter, was:
``Addons can execute arbitrary code, and the potential for malicious addons is somewhat infinite.'' [7]
Apart from being absurd (in the logical sense), this sentence is incorrect. Something is either finite or infinite, there is no ``somewhat infinite.'' Machines are finite, and their possibilities are also finite. His reponse to developers trying to protect users by fixing a bug he exploits to spy on them is ``There's so many other bugs, and I will never give up trying to spy on people, so just give up now.''
Note that Google not only makes Moxie's spying on Chrome users impossible by design (Google's policy is only NSA gets to spy on you, no one else), but Google Chrome developers have outright rejected the possibility. [8] Not because Google is concerned about user privacy, but because Google wants to own all the notaries first...
Finally, note that Jacob Appelbaum has been one of the few vocal supporters of Moxie's work. Appelbaum has also been outed as a spy of Tor users' traffic. Note also that Anonymous recently outed Mike Perry as a Tor exit spy -- and worse, as probably the target of their recent takedown of child pornography. Anonymous' expose is well worth the read. [9]
The moral of this story is that birds of a feather flock together -- `Moxie' is a one trick poney and is looking to replicate his success in spying on Tor users by bringing the spying straight to the browsers of a wider audience (maybe West Point will fly him out again and put him up in a nice hotel). This person has no integrity, they don't even use their real name.
SSL, like Tor, were designed from the bottom up as spy tools. Only once another government gets a clue and begins exploiting them (cf. Comodo/DigiNotar) do the wannabe spies take exception. Keep this pattern in mind, it is important.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=686095
[2] http://pgpboard.com/viewtopic.php?f=2&t=466
[3] https://gitweb.torproject.org/pde/https-everywhere.git
[4] http://convergence.io/
[5] https://lists.torproject.org/pipermail/ ... 21276.html
[6] https://media.blackhat.com/bh-us-11/Zat ... e-Day2.mov
Beginning at 55 minutes into the video.
[7] https://bugzilla.mozilla.org/show_bug.cgi?id=686095#c3
[8] http://www.imperialviolet.org/2011/09/0 ... gence.html
[9] http://pastebin.com/qWHDWCre
eof
Alan Taylor
PGPBOARD Administrator
London, England