[tor-talk] How secure is check.torproject.org?

Moritz Bartl moritz at torservers.net
Sat Nov 23 00:54:24 UTC 2013

On 11/22/2013 10:35 PM, Katya Titov wrote:
> The advantage that I see is that is there is no way to directly access
> a .onion site without using Tor, so it is a clear indicator that Tor is
> in use, visible to the user.

TBB 3.0 works under the assumption that it can either access websites
and is thus properly using Tor, or Tor is not working and access to any
website fails. I am not totally sure, but I bet the TBB team has added
patches that make this this a valid assumption.

>> If I remember correctly the certificate for check.torproject.org is
>> pinned in TBB, so using a hidden service instead does not add any
>> security benefits.
> If you have more information about this then I would love to see it. I
> didn't realise pinning was implemented in FF, other than by removing all
> CA certificates and adding server certificates individually.

This is the case for stock Firefox -- and I still don't understand why
it is not an enough high priority. I don't know for sure, but I just
assume Mike has added a patch that pins at least the check.tpo cert. I
may be wrong.

Moritz Bartl

More information about the tor-talk mailing list