[tor-talk] How secure is check.torproject.org?
Katya Titov
kattitov at yandex.com
Fri Nov 22 21:35:54 UTC 2013
Moritz Bartl:
> On 11/22/2013 05:49 PM, Ed Fletcher wrote:
>> This is something that I have also wondered about. Why go outside
>> of the Tor network to check that you're using Tor?
>
> A hidden service adds extra hops to hide the (location of the)
> service. There's some movement towards allowing services within the
> Tor network to be just that, not hidden, removing the additional
> hops. I don't use hidden services much, but they definitely are less
> reliable than "regular" Tor use, and using hidden services adds
> extra/unnecessary load to the network.
The advantage that I see is that is there is no way to directly access
a .onion site without using Tor, so it is a clear indicator that Tor is
in use, visible to the user.
> If I remember correctly the certificate for check.torproject.org is
> pinned in TBB, so using a hidden service instead does not add any
> security benefits.
If you have more information about this then I would love to see it. I
didn't realise pinning was implemented in FF, other than by removing all
CA certificates and adding server certificates individually.
--
kat
More information about the tor-talk
mailing list