Well, it's fun to do this and learn from that, however in an exit node it's not something I'd want to do. People use Tor to surf the web anonymously (mostly) and have some privacy. There are certainly exit nodes that do this, and it has been proven by blog posts in the past, however the more nodes that don't engage in such activities, the better for the network overall.
> however the more nodes that don't engage in such activities, the better for the network overall.
I'd argue that it is quite the opposite.
The more people are aware that plaintext over Tor is a really, really bad idea [1], the more people will use end-to-end encryption. In particular, they will insist that more websites switch to HTTPS. Which is actually better for the network overall, and would render most of these attacks useless.
I wonder whether the Tor browser bundle should disable plain HTTP completely, only to be enabled through some obscure config setting for the seldom use cases where this is actually needed.
[1] Tor is by definition a system of man-in-the-middle through man-in-the-middle. Why would anybody want to use that without end-to-end encryption?
> The more people are aware that plaintext over Tor is a really, really bad idea [1], the more people will use end-to-end encryption.
Yes, but how does your collecting logs impact overall awareness?
Even if it did (say, you make the logs available through some snazzy web interface, it gets mass media attention), how does that balance out with the users who traffic you exposed?
I didn't mean that more exit nodes should collect and share their logs. That would indeed weaken the Tor network, by facilitating traffic correlation.
I meant inspecting/manipulating the traffic if it is unencrypted. As a political statement, this should of course never actually attack the client, but instead try to raise attention by e.g. injecting a message along the lines:
Hi, I'm a stranger and it was trivial for me to
inject this message. Please use HTTPS to prevent
me from doing this.
Thinking more about that, however, this may be a bad idea. People could perceive this to be a security hole in the Tor network itself, rather than HTTP itself, which could damage the reputation of Tor.
Last I heard, there was basically one guy handling all reports of malicious exit nodes, and I couldn't even get him to do anything about the ones very obviously intercepting traffic to Bitcoin wallets and injecting code that stole people's money
This has been done in the past: researchers visited a uniquely generated URL from Tor and then recorded which Exit Nodes visited it again. You can find their work if you google it..
"Chloe" visited unique web pages for a month last year, and also used unique credentials to log into a custom honeypot. Of the over 137,000 exit nodes tested, 15 attempted to use the credentials, 650 visited the unique websites.
Less than half of a percent, but definitely happening regularly enough to be an issue.
Not really you can always mirror the wan/uplink port and do the capture on another box so even some time based / performance analysis won't show anything.
Port mirroring means you can only be a passive eavesdropper. Attacks like SSL mitm wouldn't work because you actually have to intercept and modify the traffic
SSL MITM still won't work unless you want it to be very noticeable or you have very substantial resources.
Port mirroring is enough to capture SSL traffic and to break weak SSL keys or if you have compromised the key of the destination services (w/ some caveats like no forward secrecy etc.)
And it doesn't prevents you from executing MITM attacks from upstream or just doing specific MITM attacks from within the TOR exit node later on.
But overall there is nothing you can do to ensure that your TOR exit node, your VPN gateway or even your ISP isn't reading your traffic other than to use encrypted tunnels everywhere and even then you are for the most part only moving the problem upstream.
