В работе отмечены лишь заведомо фальшивые сертификаты, многие из которых вызывают предупреждение "about:certerror" в свойствах сертификата.

Использовать Perspectives для получения более объективной картины они не пытались?

Для массового сканирования многих сайтов и узлов это слишком накладно.

5.1 Threat Model

Our threat model does not cover adversaries who control certificate authorities which would enable them to issue valid certificates to avoid TorBrowser’s warning page. This includes several countries as well as organisations which are part of TorBrowser’s root certificate store. Furthermore, we cannot defend against adversaries who control a significant fraction of Tor exit bandwidth.

5.2 Multi Circuit Certificate Verification

As long as an attacker is unable to tamper with all connections to a given destination8, MitM attacks can be detected by fetching a public key over differing paths in the network. This approach was picked up by several projects including Perspectives [30], Convergence [16] and Crossbear [4]. In this section, we discuss a patch for TorBrowser which achieves the same goal but is adapted to the Tor network.

5.4 Limitations

In our threat model, we mentioned that our design does not protect against adversaries with the ability to issue valid certificates. While our extension could easily be extended to conduct certificate comparison for all observed certificates, it would flood the Tor network with certificate re-fetches. To make matters worse, the overwhelming majority of these re-fetches would not even expose attacks. There exist other techniques to foil CA-capable adversaries such as certificate pinning [17].

удалось выявить лишь 25 злонамеренных, которые проводят атаку человека посредине

Да ещё несколько сразу у одного провайдера.

Сейчас понапишут:
Russian Spy Nodes Caught Snooping on Facebook Users

Вот что было написано на самом деле:

With respect to our data, we cannot entirely rule out that the HTTPS MitM attacks were actually run by an upstream provider of the Russian exit relays. However, we consider it unlikely for the following reasons:

1. The relays were located in diverse IP address blocks and there were numerous other relays in Russia which did not exhibit this behaviour,
2. One of the relays was even located in the U.S.,
3. There are no other reported cases on the Internet involving a certification authority called "Main Authority", and
4. The relays frequently disappeared after they were assigned the BadExit flag.

The identity of the attacker is difficult to ascertain. The relays did not publish any contact information, nick- names, or revealed other hints which could enable edu- cated guesses regarding the attacker's origin.

While Tor's nature as an anonymity tool renders targeting individuals difficult, an attacker can target classes of users based on their communication destination. For example, an attacker could decide to only tamper with connections going to the fictional http://www.insecure-bank.com. Interestingly, we found evidence for exactly that behaviour; at some point the Russian relays began to target at least facebook.com. We tested the https version of the Alexa top 10 web sites [1] but were unable to trigger MitM attacks despite numerous connection attempts. Popular Russian web sites such as the mail provider mail.ru and the social network vk.com also remained unaffected. Note that it is certainly possible that the relays targeted additional web sites we did not test for. Answering this question comprehensively would mean probing for thousands of different web sites.

We have no explanation for the targeting of destinations. It might be another attempt to delay the discovery by vigilant users. However, according to previous research [13], social networking appears to be as popular over Tor as it is on the clear Internet. As a result, limiting the attack to facebook.com might not significantly delay discovery.

Оригинал, стр. 9. По кр. мере это смотрится очень странно (MITM ФСБука). Есть, правда, вариант «иностранец купил хостинг в России, чтобы снифать на экситах».

P.S. Спасибо за перевод.

Даже не знал, что уже так много альтернатив стандартному PKI есть.

скорее костылей вокруг.