Blockchain.Info Launches Darknet Site In Response To Thefts Over TOR

A public outcry about a recent surge of thefts, affecting Tor users accessing Blockchain.info, started when one redditor made a list of old and recent thefts a week ago. While most of the known thefts were in the smaller range, one redditor reported losing 100 bitcoins, with another reporting a lost 63 bitcoins. Blockchain.info decided the problem needed to be addressed and started working with reseachers at the Tor Project, and computer security researcher and entrepreneur, Nik Cubrilovic.

Cubrilovic identified the source of the thefts as a variation of a Man In The Middle (MITM) attack, called SSL Stripping, “Once inserted on the path between the victim and the connection to a web server, the sslstrip attack will intercept requests to an HTTPS based service and proxy them back to the user over HTTP.”

The problems were well documented. The core developers of the Tor Project addressed the issue in a blog post at the start of 2014. Blockchain.info issued a warning about it in October over its Twitter account.

SSL Stripping attacks are ideal for the network structure Tor is based on. Tor sends data through a connection of Nodes, that hide the origin of a connection. Connections made through the network leave via an Exit Node. This last port of call in the network provides malicious actors with a weak point to attack, by hosting an Exit Node running SSL Stripping software attackers can intercept sensitive data such as Blockchain.info wallet details.

According to Cubrilovic, the attacks were so successful the wallet provider decided to ban all Tor traffic. While this was an attempt at a quick solution, to a serious problem, it unintentionally played into the malicious actors hands.

Tor Exit Nodes are by design hard to ban. in order to ban nodes you have ban the identifying IP address of the computer hosting the node. IP addresses can be dynamic, meaning they are assigned upon connection to the network.

Since the majority of exit nodes with static IP addresses aren’t controlled by malicious actors, the Exit Nodes remaining were more likely to be hosting SSL Stripping software. Tor users who continued to access Blockchain.info, and were unaware of the dangers and recent thefts, had a higher chance of their traffic being sent through one of the malicious nodes, which has resulted in the recent surge in reported thefts on the popular bitcoin subreddit, /r/bitcoin.

A solution was found though, after several days working with Cubrilovic and researchers from the Tor Project, Blockchain.info announced a new way to securely access Blockchain.info’s services through Tor, “We’re proud to announce we’re the 2nd site ever to be issued a .onion SSL cert!”

With the new .onion address, Tor users won’t have to worry about malicous exit nodes since they can access Blockchain.info through the wallet provider’s own exit node, blockchainbdgpzk.onion. On top of that, users will be able to verify that is in fact the correct website by checking the SSL certificate issued by DigiCert, visible at the beginning of the address bar.

In addition to those security measures, they will make users access the website through one of the most popular secure communication protocols on the internet, HTTPS, by enforcing Strict Transport Security (HSTS) across their clearnet and .onion websites. HSTS allows web servers to declare that web browsers should only interact with it using secure HTTPS connections,and never via the insecure HTTP protocol.

This solution was not gone unnoticed in malicious circles. A redditor, who has deleted his account since, posted a .onion address in numerous threads. The redditor claimed the address was the new Blockchain.info .onion but was actually a pishing site looking to steal bitcoins.

Another user reported that he continued to have his bitcoins stolen, despite connecting to Blockchain.info through their new .onion address, and changing his password twice. Once a wallet is compromised the private keys can be copied, changing the password will not make any difference. If your wallet was compromised by previously logging in through Tor without the .onion address you will need to setup a new wallet.

Cubrilovic had this advice on staying safe from fraudulent connections, “The recommended action for users it to always check the validity of their connection to the web server and to make sure it is secure and that the certificate they are presented validates (you can check this in most browsers by clicking on the (real) secure lock icon).”

Sophie is an artist whose secret passion is finance, economics, and technology. She loves keeping up with the ever expanding and evolving world of crypto-currency. When she isn’t painting, she can be found trying to understand the complex inner workings of markets. Another complex system she is fascinated by, are ecosystems. She often observes them on her daily hikes through nature.