[tbb-bugs] #13747 [Tor Browser]: Block Mixed Content on .onion Addresses

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Nov 13 00:44:35 UTC 2014

#13747: Block Mixed Content on .onion Addresses
 Reporter:  legind       |          Owner:  tbb-team
     Type:  enhancement  |         Status:  new
 Priority:  normal       |      Milestone:
Component:  Tor Browser  |        Version:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
 The .onion URL for a given THS instance is a fingerprint of the public
 key, thus ensuring authenticity of the service.  For this reason, some
 assume the same security assurances for .onion addresses as they would for
 https, with the added assurances that hidden services provide.  For
 instance, the major browsers have chosen to not load http resources when
 accessing an https site, blocking mixed content.  However, there is no
 protection against mixed content being loaded in the TBB for .onion
 addresses when they include resources from http URLs.  For any .onion URL
 which includes http resources, an attacker controlling an exit node could
 perform a Man in the Middle attack, providing malicious javascript which
 modifies the content of the DOM.

 One would hope that an http THS would never include remote resources from
 an http site if they would like to protect their users.  In fact, one
 would hope that a THS would never load any resources at all from a source
 they do not control.  But this is no guarantee that they won't.  It seems
 like a good security measure to disallow http resources from being loaded
 in TBB.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13747>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list