[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #24922 [- Select a component]: Misleading Help
#24922: Misleading Help
-------------------------------------+-------------------------------------
Reporter: RogerMont | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: - Select a | Version:
component | Keywords: HTTPS, Self-Signed
Severity: Normal | Certificates
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-------------------------------------+-------------------------------------
In your Tor Browser User Manual under Onion Services you state:
"All traffic between Tor users and onion services is end-to-end encrypted,
so you do not need to worry about connecting over HTTPS. "
1. This is completely FALSE! The exit node to the user is Clear Text and
all usernames and passwords are visible to the exit node. It is
surprising that some of you do not know about this problem. HTTPS should
be encouraged. It is common for governments to run several tor nodes and
to monitor communication when they are the exit node. You can find
details about the problem in the link below and also from several other
sources.
2. Using HTTPS from an onion service with a self-signed certificate
should be permitted without all the ridiculous messages by the tor browser
when establishing a connection. Tor onion addresses are inherently
certified because it is statistically impossible to impersonate a
correctly addressed onion site. The correction should advise the user and
import the certificate as a default, not as an exception. This way you
will encourage safe usage by both browser user and onion service provider.
For non-onion sites the existing code is fine.
I hope to see these corrections in a future update.
Thank you.
Please see the following article and forward it to others in your group
who are not informed about the weaknesses of using Tor without HTTPS.
https://en.wikipedia.org/wiki/Onion_routing
Exit node vulnerability[edit]
Although the message being sent is transmitted inside several layers of
encryption, the job of the exit node, as the final node in the chain, is
to decrypt the final layer and deliver the message to the recipient. A
compromised exit node is thus able to acquire the raw data being
transmitted, potentially including passwords, private messages, bank
account numbers, and other forms of personal information. Dan Egerstad, a
Swedish researcher, used such an attack to collect the passwords of over
100 email accounts related to foreign embassies
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24922>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs