[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #19850 [Applications/Tor Browser]: Disable Plaintext HTTP Clearnet Connections
#19850: Disable Plaintext HTTP Clearnet Connections
------------------------------------------+--------------------------------
Reporter: miserlou2 | Owner: tbb-team
Type: enhancement | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version: Tor: 0.2.8.6
Severity: Major | Keywords: security, https,
Actual Points: | ssl
Points: | Parent ID:
Sponsor: | Reviewer:
------------------------------------------+--------------------------------
I think that the Tor Browser Bundle should aim to disable allowing
connections to plaintext HTTP websites out the box by the end of the year
2016.
Content injection into MITM'd clearnet HTTP connections is the number one
security threat to Tor users. It's incredibly easy to do and I'm certain
that it happens all the time. (You can reproduce this easily by going to
http://example.com in the latest TBB. https://example.com is completely
valid, but the connection to the plaintext version is made).
Even without direct content injection, it's the obvious weak point in the
overall privacy that Tor provides for a common TBB user.
It's 2016 - the vast majority of websites now serve pages over SSL. Thanks
to projects like Let's Encrypt, it's now completely easy and free to run
SSL out of the box with any important web server software package -
there's really no excuse not to be running HTTPS.
Rather than making this change immediately, we could announce the
intention to release the change by the end of the year, thereby giving any
stragglers time to add SSL to their websites. We could look at how
browsers like Chrome and Firefox degrade deprecated TLS ciphers in
successive releases as an example - first a visual indication, then a
confirmation warning, then a total block.
What do you think?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19850>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs