[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #7430 [Tor Check]: Easy MITM against check.tpo (not SSL-related)

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #7430 [Tor Check]: Easy MITM against check.tpo (not SSL-related)
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sun, 11 Nov 2012 07:30:39 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 11 Nov 2012 02:30:47 -0500
In-reply-to: <051.f05a20a975d03eef1ea0774c2c87c3b6@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <051.f05a20a975d03eef1ea0774c2c87c3b6@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#7430: Easy MITM against check.tpo (not SSL-related)
-------------------------+--------------------------------------------------
 Reporter:  cypherpunks  |          Owner:     
     Type:  defect       |         Status:  new
 Priority:  major        |      Milestone:     
Component:  Tor Check    |        Version:     
 Keywords:               |         Parent:     
   Points:               |   Actualpoints:     
-------------------------+--------------------------------------------------

Comment(by arma):

 Yes, I think you're right that this attack would work fine.

 I'm not too worried though, because using an external website (with its
 various false positives and false negatives) is silly from within TBB
 anyway: Tor Browser Button can check whether it's configured correctly,
 full stop.

 So the check website is already more like a homepage for TBB users than an
 actual "are you using Tor correctly" page.

 There are a bunch of tickets around here for "stop hitting check.tp.o on
 startup" and the like.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7430#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #7430 [Tor Check]: Easy MITM against check.tpo (not SSL-related)
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #6783 [Tor]: should not serve old v2 statuses
Next by Author: Re: [tor-bugs] #7212 [Tor]: circuitmux assertion failure in 0.2.4.4-alpha
Previous by thread: [tor-bugs] #7430 [Tor Check]: Easy MITM against check.tpo (not SSL-related)
Next by thread: [tor-bugs] #7431 [- Select a component]: cannot connect to hidden services
Index(es):
- Author
- Thread