[tor-talk] How secure is check.torproject.org?

Roger Dingledine arma at mit.edu
Sat Nov 23 05:20:31 UTC 2013


On Sat, Nov 23, 2013 at 07:35:54AM +1000, Katya Titov wrote:
> The advantage that I see is that is there is no way to directly access
> a .onion site without using Tor, so it is a clear indicator that Tor is
> in use, visible to the user.

Not necessarily. Imagine a local network attacker who sees your request
for a .onion address go out on the local network, and then supplies you
with a DNS answer and then a webpage when you ask for one. Now you're
not using Tor, but you think you are.

Now, it's harder for them to do that with https://check.torproject.org/
because of the https part, but the attacker could just recognize requests
for check and route them through Tor, so the check page will congratulate
you on using Tor when you're mostly not.

The correct answer is for TBB to do some self-tests of its proxy settings,
and not ask the big bad scary internet.

--Roger



More information about the tor-talk mailing list