[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Rethinking Bad Exit Defences: Highlighting insecure and sensitive content in Tor Browser

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Rethinking Bad Exit Defences: Highlighting insecure and sensitive content in Tor Browser
From: grarpamp <grarpamp@xxxxxxxxx>
Date: Sun, 2 Apr 2017 03:23:55 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 02 Apr 2017 03:24:56 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=LmixVrHRJ2tHffs3SUMRPEzfY/I3LGwDyhQGyr4DxN8=; b=cPu6cdoPdOR3AeqCWAr5uRKdJ4OBpyxiSMwAgsz019c9oMFVN7CSYGWLBFsVLHmWZu JpyjujrGIypmdH5gDnKBlWjytGm8w0CbjOUi4NUg9Nk2nilLtHvne7Yw/jmiD7OwycIF Vx5+UYVUdWZfur+9IGrYKr40X3L99uey8TG65lz+67+CkBRH01LDDbnNGscvbmHWo9PO a83xcN63fcazOOl5JlY5X7z/Mdbfe9aUx/zno9AqzsCAJHuZGK46kFkHr46GP2REPT3P rP/31jBpSJ08wxshDdv/gyGoA2TlrQZ2chD4ESS9XgBtZtSY0qRO0yB8u4GJVbtjM8Oz S3bw==
In-reply-to: <d21e5728-843e-3b54-b69b-bbbd748e505c@donncha.is>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <d21e5728-843e-3b54-b69b-bbbd748e505c@donncha.is>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Tue, Mar 28, 2017 at 11:31 AM, Donncha O'Cearbhaill
<donncha@xxxxxxxxxx> wrote:
> The Tor bad-relay team regularly detects malicious exit relays which are
> actively manipulating Tor traffic. These attackers appear financial
> motivated and have primarily been observed modifying Bitcoin and onion
> address which are displayed on non-HTTPS web pages.
>
> Increasingly these attackers are becoming more selective in their
> targeting. Some attackers are only targeting a handful of pre-configured
> pages. As a result, we often rely on Tor users to report bad exits and
> the URLs which are being targeted.
>
> In Firefox 51, Mozilla started to highlight HTTP pages containing
> password form fields as insecure [1]. This UI clearly and directly
> highlights the risk involved in communicating sensitive data over HTTP.
>
> I'd like to investigate ways that we can extend a similar UI to Tor
> Browser which highlight Bitcoin and onion addressed served over HTTP. I
> understand that implementing this type of Bitcoin and onion address
> detection would be less reliable than Firefox's password field
> detection. However even if unreliable it could increase safety and
> increase user awareness about the risks of non-secure transports.
>
> There is certainly significant design work that needs to be done to
> implement this feature. For example, .onion origins need be treated as
> secure, but only if they don't included resources from non-secure
> origins. We would also need to make the onion/bitcoin address detection
> reliable against active obfuscation attempts by malicious exits.
>
> https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/

Search OnionGatherer on this list for ui stuff.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Prev by Author: Re: [tor-dev] ***SPAM*** Re: Proposition: Applying an AONT to Prop224 addresses?
Next by Author: [tor-dev] Circuit times
Previous by thread: Re: [tor-dev] Rethinking Bad Exit Defences: Highlighting insecure and sensitive content in Tor Browser
Next by thread: Re: [tor-dev] Rethinking Bad Exit Defences: Highlighting insecure and sensitive content in Tor Browser
Index(es):
- Author
- Thread