Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The only attacks an exit alone can do is sniff all traffic and modify the traffic. There are constant checks done by the Torproject to detect bad exits that modify traffic but sniffing is not detectable of course. But both of those attacks are mitigated by https which most sites support nowadays. Firefox and therefore the Tor Browser also has an option to disable http. [0] And using an .onion service removes this attack vector also.

[0]: https://support.mozilla.org/en-US/kb/https-only-prefs



> But both of those attacks are mitigated by https which most sites support nowadays.

Unfortunately, not as much as you might hope.

For good reasons, the Tor browser doesn't store your browsing history - so there's no 'recently visited sites', no address bar autocomplete, no cached redirects, no cached HSTS, and no colour-changed 'visited' links.

So if you're visiting a site that isn't HSTS-preloaded - for example bitcoinknots.org - you'd better remember to type in the https:// explicitly, as that's your sole protection against getting MITMed.


> So if you're visiting a site that isn't HSTS-preloaded - for example bitcoinknots.org - you'd better remember to type in the https:// explicitly, as that's your sole protection against getting MITMed.

>Tor Browser already comes with HTTPS Everywhere, NoScript, and other patches to protect your privacy and security.

https://www.torproject.org/download/


Caveat: HTTPS Everywhere relies on a manual whitelist of HTTPS-enabled sites. If the website you’re visiting isn’t popular enough to be on their list, you’re out of luck.


HTTPS Everywhere doesn't have a working rule for bitcoinknots.org

And more broadly, neither HSTS preloading or HTTPS Everywhere include a list of every single site on the internet.


Mentioned below that HTTPS-default (which is an option in ordinary Firefox) is intended to become mandatory in Tor-browser.

I use this on my main PC. Once or twice a day I might visit some old or especially cantankerous site that doesn't do HTTPS, I get a full page interstitial explaining the problem, I can decide if I'm OK with that. Otherwise every single link, typed URL, etc. is HTTPS regardless of whether that was what was originally written.

I wouldn't recommend it in its current state for my mother, but it's definitely what someone using Tor would want, and it's only getting more ubiquitous.


I’m surprised to hear it’s not just using the native HTTPS-only mode now.


"... you'd better remember to type in the https:// explicitly ..."

You should use a slug[1] if you need assurance that you’re staying on your vpn/protocol/exit.

It would be very simple to create a "tor only" network slug.

[1] https://john.kozubik.com/pub/NetworkSlug/tip.html


If they're not checking everything, any sort of non-general modification of traffic will obviously go completely unnoticed. The bad exit flag really is only ever going to catch the most obvious, ham fisted bad behaviour.


You're correct this isn't really a solution but Tor Browser has already merged https only mode [0] so this should become less of an issue in the near future.

[0]: https://gitlab.torproject.org/tpo/applications/tor-browser/-...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: