[tor-bugs] #26274 [- Select a component]: Deprecate check.tpo and move that functionality to the client
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jun 2 22:14:53 UTC 2018
#26274: Deprecate check.tpo and move that functionality to the client
--------------------------------------+--------------------
Reporter: cypherpunks | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: - Select a component | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------+--------------------
Right now, every time Tor browser starts up, it loads the same page. This
is a risk for a huge watering hole attack. Compromising that one subdomain
and serving an exploit will reliably compromise ~100% of Tor users. This
would only take a single rogue CA (due to HPKP going away), and the
compromise of one of any number of registrars. If the check is done
locally client-side, such an exploit would be significantly more difficult
and would have to exploit the a simple API.
Unlike the automatic updater which verifies a signature, the only
signature relied upon by check.tpo is the TLS certificate. The web PKI is
not ideal for protecting a single centralized page that is automatically
opened by every Tor user, and only by Tor users.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26274>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list