[tor-bugs] #24922 [- Select a component]: Misleading Help

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 17 15:27:39 UTC 2018


#24922: Misleading Help
-------------------------------------+-------------------------------------
     Reporter:  RogerMont            |      Owner:  (none)
         Type:  defect               |     Status:  new
     Priority:  Medium               |  Milestone:
    Component:  - Select a           |    Version:
  component                          |   Keywords:  HTTPS,  Self-Signed
     Severity:  Normal               |  Certificates
Actual Points:                       |  Parent ID:
       Points:                       |   Reviewer:
      Sponsor:                       |
-------------------------------------+-------------------------------------
 In your Tor Browser User Manual under Onion Services you state:

 "All traffic between Tor users and onion services is end-to-end encrypted,
 so you do not need to worry about connecting over HTTPS. "


 1.  This is completely FALSE!  The exit node to the user is Clear Text and
 all usernames and passwords are visible to the exit node.  It is
 surprising that some of you do not know about this problem.  HTTPS should
 be encouraged.  It is common for governments to run several tor nodes and
 to monitor communication when they are the exit node.  You can find
 details about the problem in the link below and also from several other
 sources.

 2.  Using HTTPS from an onion service with a self-signed certificate
 should be permitted without all the ridiculous messages by the tor browser
 when establishing a connection.  Tor onion addresses are inherently
 certified because it is statistically impossible to impersonate a
 correctly addressed onion site.  The correction should advise the user and
 import the certificate as a default, not as an exception.  This way you
 will encourage safe usage by both browser user and onion service provider.
 For non-onion sites the existing code is fine.

 I hope to see these corrections in a future update.

 Thank you.


 Please see the following article and forward it to others in your group
 who are not informed about the weaknesses of using Tor without HTTPS.


 https://en.wikipedia.org/wiki/Onion_routing

 Exit node vulnerability[edit]

 Although the message being sent is transmitted inside several layers of
 encryption, the job of the exit node, as the final node in the chain, is
 to decrypt the final layer and deliver the message to the recipient. A
 compromised exit node is thus able to acquire the raw data being
 transmitted, potentially including passwords, private messages, bank
 account numbers, and other forms of personal information. Dan Egerstad, a
 Swedish researcher, used such an attack to collect the passwords of over
 100 email accounts related to foreign embassies

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24922>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list