[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #19850 [Applications/Tor Browser]: Disable Plaintext HTTP Clearnet Connections

Subject: [tor-bugs] #19850 [Applications/Tor Browser]: Disable Plaintext HTTP Clearnet Connections
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sun, 07 Aug 2016 05:12:58 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 07 Aug 2016 01:13:16 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#19850: Disable Plaintext HTTP Clearnet Connections
------------------------------------------+--------------------------------
     Reporter:  miserlou2                 |      Owner:  tbb-team
         Type:  enhancement               |     Status:  new
     Priority:  High                      |  Milestone:
    Component:  Applications/Tor Browser  |    Version:  Tor: 0.2.8.6
     Severity:  Major                     |   Keywords:  security, https,
Actual Points:                            |  ssl
       Points:                            |  Parent ID:
      Sponsor:                            |   Reviewer:
------------------------------------------+--------------------------------
 I think that the Tor Browser Bundle should aim to disable allowing
 connections to plaintext HTTP websites out the box by the end of the year
 2016.

 Content injection into MITM'd clearnet HTTP connections is the number one
 security threat to Tor users. It's incredibly easy to do and I'm certain
 that it happens all the time. (You can reproduce this easily by going to
 http://example.com in the latest TBB. https://example.com is completely
 valid, but the connection to the plaintext version is made).

 Even without direct content injection, it's the obvious weak point in the
 overall privacy that Tor provides for a common TBB user.

 It's 2016 - the vast majority of websites now serve pages over SSL. Thanks
 to projects like Let's Encrypt, it's now completely easy and free to run
 SSL out of the box with any important web server software package -
 there's really no excuse not to be running HTTPS.

 Rather than making this change immediately, we could announce the
 intention to release the change by the end of the year, thereby giving any
 stragglers time to add SSL to their websites. We could look at how
 browsers like Chrome and Firefox degrade deprecated TLS ciphers in
 successive releases as an example - first a visual indication, then a
 confirmation warning, then a total block.

 What do you think?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19850>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #19850 [Applications/Tor Browser]: Disable Plaintext HTTP Clearnet Connections
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #19899 [Core Tor/Tor]: prop224: Add a consensus param to enable/disable next gen onion service
Next by Author: Re: [tor-bugs] #19821 [Core Tor/Tor]: --expensive-hardening makes configure check for curve25519-donna-c64 to fail
Previous by thread: Re: [tor-bugs] #19849 [Applications/Orbot]: orbot crash when receiving data through transproxy at boot time
Next by thread: Re: [tor-bugs] #19850 [Applications/Tor Browser]: Disable Plaintext HTTP Clearnet Connections
Index(es):
- Author
- Thread