On August 7, 2018 11:14 PM, nusenu <nusenu-lists@xxxxxxxxxx> wrote: >> did you notice the non-HSTS/HSTS distinction when trying to add an exception? On August 8, 2018 1:51 AM, grarpamp <grarpamp@xxxxxxxxx> wrote: > If there is, would have to look closer, thx. The following is to help searchers who rammed their heads into this problem, as I did when accessing clearnet version of a rather popular .onion (LE cert). Firefox/Tor Browser disallows adding an exception. The "add an exception" button does not even appear! It gives the error message: "This site uses HTTP Strict Transport Security (HSTS) to specify that Tor Browser may only connect to it securely. As a result, it is not possible to add an exception for this certificate." Workaround FOR ADVANCED SECURITY GURUS ONLY -- WARNING, DANGER, YOU CAN BREAK YOUR SECURITY IF YOU DO NOT KNOW WHAT YOU ARE DOING -- create prefs integer before visiting the broken website: test.currentTimeOffsetSeconds 11491200 Instructions given here are intentionally opaque; if you don't know what that means, don't try it. Doing this is NOT RECOMMENDED. I myself would NEVER do this unless either I verified the certificate fingerprint by out-of-band means, or observed the same fingerprint through many different random exits. If you don't understand what this means, please do not try to override HSTS. You will get ruined by a BadExit. Evil h4x0rs with sslstrip will steal your identity, dox you on the scary darknets, and put sugar in your gas tank. Instead of overriding security features, tell the server admin of the broken website to fix his problem by adding intermediate certificate to chain in webserver config. ---- Topic drift observation: This error made me realize that Tor Browser/Firefox must load at least the response HTTP headers before displaying the certificate error message. I did not realize this! I reasonably assumed that it had simply refused to complete the TLS handshake. No TLS connection, no way to know about HSTS. Scary. How much does Tor Browser actually load over an *unauthenticated* connection? Most importantly, I am curious, does it leak the request URI path (including query string parameters) this way? Or does it do something like a `HEAD /` to specifically check for HSTS? No request headers, no response headers, no way to know about HSTS. Spies running sslstrip may be interested in that. Sent with ProtonMail Secure Email.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk