[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #14097 [Website]: check.torproject.org is available over http

Subject: [tor-bugs] #14097 [Website]: check.torproject.org is available over http
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sat, 03 Jan 2015 23:36:20 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 03 Jan 2015 18:36:28 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#14097: check.torproject.org is available over http
---------------------+---------------------------
 Reporter:  colons   |          Owner:  Sebastian
     Type:  defect   |         Status:  new
 Priority:  minor    |      Milestone:
Component:  Website  |        Version:
 Keywords:           |  Actual Points:
Parent ID:           |         Points:
---------------------+---------------------------
 I think it should redirect to https, although I honestly can't immediately
 think of anything useful you could achieve by MITMing it and lying to
 someone south of you.

 If someone is just typing 'check.torproject.org' behind someone who wants
 to wrongly convince them that they are or are not using tor, it doesn't
 really matter if the actual site is served over http or not; they can just
 not serve the redirect that you do. If someone bookmarks it, though, they
 start to be vulnerable.

 Might be intentional, though; do you suspect there are be scripts that
 don't support https hitting it?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14097>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: [tor-bugs] #14096 [EFF-HTTPS Everywhere]: enabling https for BootstrapCDN breaks icons( facebook/ tweeter/ feed/ Google+)
Next by Author: Re: [tor-bugs] #13448 [Tor Browser]: Bookmarks.RestoreFile. Browser-Not-Responding-Freeze-WindowsXP
Previous by thread: Re: [tor-bugs] #14096 [EFF-HTTPS Everywhere]: enabling https for BootstrapCDN breaks icons( facebook/ tweeter/ feed/ Google+)
Next by thread: Re: [tor-bugs] #13448 [Tor Browser]: Bookmarks.RestoreFile. Browser-Not-Responding-Freeze-WindowsXP
Index(es):
- Author
- Thread