My Thoughts On Mysterium Network And How It's A MITM's Wetdream

To give a little context about where this is coming from; you might want to know a little bit about me. I’m a privacy activist, early adopter of blockchain technology, and run the largest member only hosting provider on the darknet (Tor).

Privacy and decentralization are very important to me. So when a decentralized VPN, powered by blockchain technology, released their whitepaper; it truly peaked my interest. A “distributed, trustless and sustainable network - providing open access
and privacy to all Internet users” is an amazing feat. I wanted to do this write-up before the Token Sale but life got a little bit hasty. So here I am now. Buckle up because we are going for a ride down this rabbit hole.

The Mysterium Network is trying to build a decentralized VPN that incentives network participants to participate in the network. This removes the central authority from the VPN equation thus giving individuals more privacy and a network which will never go down due to its decentralized nature. All payments are done using Ethereum tokens which, due to the Ethereum’s fully transparent design, are pseudo-anonymous. It’s supposed to provide anonymity, decentralized traffic routing, possibility for end-to-end
encryption, a low honeypot risk, and other magical things which makes it a no-brainer to go with them instead of the yucky privacy destroying centralized VPNs.

However, there are fatal flaws the mysterium network can not address in it’s currently proposed design. Man In The Middle (MITM) attacks, government censorship or takedown, spam service announcements which will break service discovery, and the horribly inherent pseudo-anonymous nature which can remove any given privacy.

So let’s start with the elephant in the room, MITM attacks. This setup is a MITM’s wetdream. The MITMer can publically announce any system without any limitations on the blockchain. It will be stored there forever with the only limitation that I will need to re-announce the server after a predefined number of blocks. There is no central authority controlling who can get in or them getting kicked out. Even if the mysterium foundation made a way for the contract to invalidate a proposal there is nothing stopping the MITMer from announcing another one automatically. Everything is transparent so they could see if one of their servers were invalidated in real time. So now that the MITMer has a sure unstoppable way to announce their system on the network they can proceed to get connections from the unknowing victims.
These connections are stupidly simple to man in the middle.

Let me give you the run down. The victim connects to one of the MITM’s servers. This connection is, of course, all encrypted with amazing butterflies floating towards a rainbow. It is done in a way that all traffic is done over the MITM’s server (to prevent IP leak). When the victim goes to connect to, say, any http site the connection is MITMed with ease. Anything and everything can be recorded without the victim knowledge. Best of all, because the network detects there is traffic, the MITM will get paid to do it. Now, of course, any smart™ individual will always use https. But that isn’t always a fool-proof solution. TLS is routinely broken (BEAST/CRIME/DOWN attacks for example). Take SSLStrip for example. If the site doesn’t have HSTS (which the large majority doesn’t) it is completely possible to strip the https and just MITM the connection anyway. Of course, this won’t work on all https sites but for the large part, it opens the door.

However, this is the same risk with centralized VPN providers. They can try to MITM your connection. Which is why reputation plays a very large part in the purchasing habits of VPN consumers. VPN providers have a large incentive to keep true to their promise or all that money and time they invested in infrastructure goes to waste.

Moving on to Government censorship or takedown. They have a table in the white paper which compares Tor (its Tor not TOR btw) to the Mysterium network. It’s not far-fetched to say that governments don’t like me. Multiple whistleblowers sites and information networks are hosted in the cluster. Tor is really good at protecting privacy and anonymity. The Mysterium network’s design will not protect privacy or anonymity in it’s current for. Once the server is announced on the blockchain, everybody knows about it. That includes government which might not want their citizens bypassing their firewall (cough China cough). Due to blockchain’s transparent nature, it would be effortless to block the systems attached to the mysterium network. Also being that it’s a one hop direct connection (unlike Tor’s three hop system) if a government gained control of the system they would be able to find who exactly is using it. Maybe finding some unsuspecting citizens looking for a way around the firewall. This system is not at all private and will not protect journalists communicating with whistleblowers.

Spam announcements with service discovery is a big attack surface which will cripple the entire discovery process. Here is a simple idea. The attacker want’s to cripple the mysterium network. So they announce thousands of fake nodes. Some might be up for a couple moments, others might be just ghosts nodes, and some, I assume, are good people. The simple fact is there is nothing preventing a ton of spam announcements that the Mysterium nodes will pick up and use for the discovery. Now not discounting the gas cost to make all those announcements but god this service discovery is going to be a disaster. There are some things that blockchains are really good for; service discovery of nodes, which can come and go over short times, is not one of them.

We are almost done. Now let’s talk about the horribly inherent pseudo-anonymous nature of all this. The white paper didn’t go that far into how privacy is protected with the payment system. On the Mysterium network, you are identified by your node key. This node key seems to be attached to all payments you do which are then recorded on Ethereum. Due to this, wouldn’t it be possible for anybody to see when anybody is on? All the sessions with their duration, time started, data transferred, is recorded. It is the ultimate logging policy. The moment someone finds out your node key they will be able to look at every session you made using that node key. That is not at all great for privacy. If you wanted to completely destroy the user privacy all you would need to do is setup a node to accept connections, record the IP of the ones who connected with you, and see who is the one started the connection and paid you. Boom, you know now the IP of that node key. You want to target a specific IP for your MITM attack, you now have the method knowing about who everybody is. This goes the same for governments or sites that want to block everybody that participated in the Mysterium network. When you announce you want to join the network you have already lost the privacy Mysterium is trying to keep. How’s that for irony.

Now it’s not all bad. Mysterium is in its very very early stages. Some of the problems (like spam announcements) can be countered by a good reputation & trust mechanism. How you can do that on a distributed network built on blockchains is still up in the air. They also might turn off reporting of traffic statistics but the payment systems still remain. A new identity could be made on each new connection which might separate sessions (payment systems are still there though…). The Mysterium foundation might do routine testing on systems and see if any nodes are acting up, invalidating them if they do. Potentially they could ask for the nodes to lock some tokens to participate. If they get invalidated, then the tokens would be lost.

But one thing is for sure. If I wanted to MITM people, Mysterium’s network is where it is at.

TL;DR Mysterium has 99 problems. MITM attacks are one of them.

Good analysis. I agree with most of it. Full disclosure though, I am a Mysterium investor.

The MITM issue is a serious one, no doubt. I think the only solution here is to suggest that every Mysterium user use an extension like HTTPS Everywhere to enforce SSL.

Also being that it’s a one hop direct connection (unlike Tor’s three hop system) if a government gained control of the system they would be able to find who exactly is using it. Maybe finding some unsuspecting citizens looking for a way around the firewall. This system is not at all private and will not protect journalists communicating with whistleblowers.

I’d say two things there. One, you’re probably right that it shouldn’t be used by people who are seriously concerned about state-level interference. But secondly, its possible in principle for Mysterium to facilitate multi-hop connections. Hopefully they will add this feature soon.

Spam announcements with service discovery is a big attack surface which will cripple the entire discovery process. Here is a simple idea. The attacker want’s to cripple the mysterium network. So they announce thousands of fake nodes.

There’s a fairly simple way to deal with spam. Attach a price to the announcement. Maybe node operators should have to pay a small fee, or hold a nominal amount of ether in escrow to be allowed to announce. This would prevent large-scale spam / sybil attacks.

We are almost done. Now let’s talk about the horribly inherent pseudo-anonymous nature of all this. The white paper didn’t go that far into how privacy is protected with the payment system. On the Mysterium network, you are identified by your node key. This node key seems to be attached to all payments you do which are then recorded on Ethereum.

Technically true, although the ‘you’ is pseudonymous. If you wish to protect your identity, ensure that your funding address is not linked to your real identity. Eventually, when Ethereum adds ZK-SNARKS, this will be much easier.

Again, great write-up. I agree with much of your criticism, and most of my response is in terms of what Mysterium could do to fix these issues, not what they actually are doing. Hopefully they will take heed and start working to resolve some of these issues. However, in the meantime, a relatively weak privacy model VPN network is not useless. Plenty of people use VPNs for fairly mundane things, like circumventing content blocks, or hiding their identity/browsing history from more mundane actors. For those people, I think Mysterium is great, and that’s why I chose to invest in it. I think that with a few tweaks and the right precautions, it could be used for more serious threat models as well, but we’re not quite there yet.

Hey I’m also a big fan of Tor and decentralized networks, and really all these networks have similar problems - the only difference is that when actions are associated to crypto and cost money you can actually solve them whereas it’s not possible to solve them in Tor/I2P/etc at the moment.

As others have said, similar MITM risks appear in Tor, except for because of the multi-hop model unless the attacker has both owns entry and exit node, they cannot match Requesting IP to Request.

Actually Tor has very similar issues overall. In Tor you cannot even fix the Sybil problem, where I can just spin up thousands of Tor nodes and give myself a better chance of getting you to use both my entry and exit nodes (btw, Tor circuits are long lived by design, so if you pick a malicious entry/exit pair, you’re screwed for a large duration of your session).

On the other hand if there’s 10K VPNs on Mysterium and I want to spin up and constantly advertise my own 10K servers, that starts to cost a lot of money over time, both from bandwidth and interaction cost with the blockchain.

The “servers are on the blockchain therefore public” is also the same for Tor, the list of all entry, exit an relay nodes is public and you can request it from the Tor network and from the directory servers (Tor is more centralized than people think, there’s 8-12 directory servers that if taken down cause Tor not to really work anymore, and hidden service addresses stop resolving well).

If you really wanted, there’s nothing stopping you from turning Mysterium to a Tor-like network, even without the dev’s explicit support. If the Mysterium nodes support OpenVPN, it is possible to nest / chain OpenVPN sessions and if you do that 3 times over, you have a 3 hop link just like you do in Tor.

For the pseudonimity thing, that will be solved with Metropolis after it adds EC operations and pairings opcodes. You’ll be able to ring mix your coin and cryptographically anonymize them, and if doable someone might use zkSNARKs to obfuscate VPN/client associations on chain.

One nice idea for “node reputation” might be to have it so that the VPN network as a whole connects to each other anonymously and makes requests to random HTTP servers, in a way that’s indistinguishable from a client requesting, and if the request gets MITM’d the requester provides a proof of MITM and the VPN loses its security deposit (who knows if this is reliably doable, just a thought).

p.s. Tor is really not a magic pill either, while I like it (thought I think I2P is better), it has lots of problems with its crypto assumptions, even using codebook cipher mode in its encryption which allowed to tracking packets between hops without necessarily even having to be part of the route, etc. For anything where a state-level attacker is watching, you need to step up your game way more than just “Use Tor”.

Great write-up. I really want to thank you for providing the time to do this, and put your thoughts out here for others to learn (and for some who understand this domain to add to the conversation).

MITM is deincentivised via marketisation of each node’s reputation.

That is, you can MITM attack but it will cost you your node’s reputation, which is a shame since that is your income.

To be clear, you are saying that this countermeasure is not in place?

This thread is great! Looking forward for more inputs and comments from redditors and the Mysterium team itself :).

Hello CodeFate. Thanks for the thoughtful input. Do you care to share any updates on this, if you are still following the idea behind MYST?

Thanks!

The same MITM risk you describe exists in Tor. If I’m mistaken please correct me, I didn’t follow it in the last couple of years (but it was definitely true and demonstrated before then).

If somebody is using http and typing in personal info it deserves to be hacked.
All secure info is done thru https. You could run SSL strip I guess

I just came across mysterium and this wonderful write-up. Then I looked at the date. Idk if you are still following this thread or not, but if you are, do you know if there has been any update on this issue?

the problem is given how you can piece together traffic from the public ledger it is less private than normal browsing because now you are creating a permanent ledger that can show your history to anyone without so much as a warrant

Eventually, when Ethereum adds ZK-SNARKS, this will be much easier.

I believe that might be a bit harder to do than normal EIP’s, it’s a whole crypto-operation change on the base level, making me doubt it’s actually possible without a HF…or at all

In Tor you cannot even fix the Sybil problem, where I can just spin up thousands of Tor nodes and give myself a better chance of getting you to use both my entry and exit nodes

Except spinning up a thousand nodes would cost you money. It would also take some time for you non-exit nodes to become a guard node and be adopted by individuals (see lifecycle of a new relay). Unlike the mysterium design which facilitates the MITMer directly as a one hope model.

(btw, Tor circuits are long lived by design, so if you pick a malicious entry/exit pair, you’re screwed for a large duration of your session)

This is not true. Tor circuits are very short lived. The Tor Browser Bundle rotates the circuits every ten minutes. While the guard node might not change every ten minutes the circuit will.

The “servers are on the blockchain therefore public” is also the same for Tor, the list of all entry, exit an relay nodes is public and you can request it from the Tor network and from the directory servers

Except the individuals connecting the Tor network are not publically known. Individuals can also hop over a bridge hiding their network entrance point from the world. Being that bridges are not publically known it provides a large level of privacy, hiding the fact that you even connected to the network.

(Tor is more centralized than people think, there’s 8-12 directory servers that if taken down cause Tor not to really work anymore, and hidden service addresses stop resolving well).

Of course, the directory servers are a touchy spot and a spit into the face of decentralization. I think of them as a necessary evil to provide oversight into the network and give everybody some kind of authority to look upon to. If they went down the network would differently be affected. However, they don’t control onion service resolving because the onion service announces their service descriptor to a distributed hash table which is stored at the relays, not the directory servers.

If you really wanted, there’s nothing stopping you from turning Mysterium to a Tor-like network, even without the dev’s explicit support. If the Mysterium nodes support OpenVPN, it is possible to nest / chain OpenVPN sessions and if you do that 3 times over, you have a 3 hop link just like you do in Tor.

Except without any bridges, onion services, node reputation (in its current form), or onion layering preventing traffic snooping on two of the three sessions. As well as the triple cost of a three hop link. It would also be easy to see who is doing three hops because they would need to start three simultaneous sessions. It will put a target on the connection, publically announcing the circuit participants to the whole world, have more overhead than Tor’s design (assuming openvpn nesting), and be just as slow. The connection would also not have Tor circuit protection (where nodes in the same network or sub IP should not share the same circuit, a time limitation on the circuit, a limitation on what can be where in the circuits ) making the connection more likely for Sybil attacks. Not that it would matter because the circuit and the one who made it is publically known because of the payment system.

I’m saying how would anyone be able to know they are MITMing and/or logging the connection? You can’t affect the node’s reputation (even though there isn’t reputation right now on Mysterium) if you don’t know they are doing anything wrong in the first place.

Think about if a large advertising network boots up extremely fast nodes and offered the connections dirt cheap. Being that it’s direct P2P payments without authority, users would pay the advertising network (without knowing the node is associated with them) to allow them to also gather information on what sites they visit, how long they are there, and if they click any ads. Being that the node will also know exactly who is connected, they could use that information to create a profile for that IP.

Mysterium’s current design is ripe to be exploited. Individuals will not be safe, private, or anonymous on it. Even if they require node operators to lock in a deposit there is still a very large attack area where practically anything, even the user’s privacy, is up for grabs.

There haven’t been any development that I have seen where Mysterium fixes any of the problems I have outlined.

While there is an MITM risk with Tor exit nodes. The Tor network is under constant scrutiny with the Tor Project’s oversight which can remove any bad actors at any time.

There is also an initiative called spoiled onions which tracks bad acting exit nodes.

While MITMers can boot up an exit relay, keeping it in the network is the hard part. Directories can limit the number of nodes introduced in the network removing the ones that act badly.

There is also the option of true end-to-end encryption via Tor onion services which doesn’t even use exit nodes and can not be MITMed because of their self-authenticating design.

Your traffic will not be stored in the ledger.

My understanding is that zk-snarks will be implemented as an ethereum contract. The only impediment at the moment is that the operations required would have too high a gas cost. The proposed solution is to create a new, minimal set of primitive operations that would bring that gas cost down to a reasonable level.

FYI I don’t own any Mysterium, just answering the technical points.

The nice part the nodes being listed on the blockchain is that you can apply your own heuristics and choose what to trust yourself. Fast flux or new nodes could be rejected by client side for low reputation - and they could charge lower fees to build up reputation.

This is not true. Tor circuits are very short lived. The Tor Browser Bundle rotates the circuits every ten minutes. While the guard node might not change every ten minutes the circuit will.

Sorry, yes - I didn’t mean the whole circuit, I meant the entry node set Tor picks from the list. It tries not to change the entry nodes it uses too often, because picking completely random circuits is actually worse security wise than picking a subset entry nodes at client bootstrap and then using those as the start of the circuits - if you pick completely at random there’s more of a chance that you’ll pick two correlated nodes (there’s a paper about this but I can’t find it at the moment). The selection is also weighted by relay bandwidth, so you’re more likely to be connected to fast nodes, there’s also some rules that try not to choose nodes in the same /6 for a circuit, not reusing nodes in specific ways, etc… So if you wanted to increase your MITM chances in Tor you can still do so, it’s just a longer game.

Regardless this is all stuff you can encode in your own Mysterium client, connection heuristics don’t have to be strictly as defined on chain.

Also, nesting OpenVPN connections ends up with a similar same type of layered encryption that Tor has. Two of three also breaks the encryption in Tor, if Entry and Exit are the same party.

In addition, just because you’re going to nest sessions doesn’t mean you need to do them all at once. You could open the first circuit and submit some bogus traffic, then some time later open the second circuit, and so on. For truly anonymous traffic I hate both this and the Tor model, and much prefer the I2P model where each node is also a relay due to the unidirectional tunnels, therefore it’s hard to analyze network use vs network relay. You could maybe do this with Mysterium as well if you are both a VPN and a user.

I agree that having a permanent store of all connection relationships that have ever happened on chain isn’t the best, but if you assume that the NSA / ISPs log all traffic then all of them combined have the same amount of information on Tor.

If you anonymize the coins I don’t think the payment system adds much more information leakage. It’s definitely not the best model either way, but it’s a start and I’m curious to see what the project will do to address some of the more serious issues.

EDIT: I found the paper: https://www.nrl.navy.mil/itd/chacs/sites/www.nrl.navy.mil.itd.chacs/files/pdfs/13-1231-2077.pdf See

Clients choose and maintain three active guards and use them as the entry
relay for all of their circuits to reduce the chance of directly connecting
to an adversary. Clients rotate each guard at a random time
between 30 and 60 days.

The entry guards are an extreme point of failure if one of them is malicious, they’re very long lived for each session.

True. Deposit, ah, yes, good idea.

Encryption should be able to solve it somehow though right? I mean, crypto currency relies on crypto so comms should be able to do it too. Relying on ssl might be crap… If so I’d focus on that as a criticism specifically otherwise I still feel ‘better than nothing’