[tor-talk] How secure is check.torproject.org?

Katya Titov kattitov at yandex.com
Sat Nov 23 08:04:54 UTC 2013


Roger:
> On Sat, Nov 23, 2013 at 07:35:54AM +1000, Katya Titov wrote:
>> The advantage that I see is that is there is no way to directly
>> access a .onion site without using Tor, so it is a clear indicator
>> that Tor is in use, visible to the user.
> 
> Not necessarily. Imagine a local network attacker who sees your
> request for a .onion address go out on the local network, and then
> supplies you with a DNS answer and then a webpage when you ask for
> one. Now you're not using Tor, but you think you are.

But if we're talking about TBB then a local network attacker should
never see the request, just the resultant Tor traffic. Unless my
understanding is very off.

> Now, it's harder for them to do that with
> https://check.torproject.org/ because of the https part, but the
> attacker could just recognize requests for check and route them
> through Tor, so the check page will congratulate you on using Tor
> when you're mostly not.
> 
> The correct answer is for TBB to do some self-tests of its proxy
> settings, and not ask the big bad scary internet.

I certainly agree here, but I'm also a visual person. I use the Network
Map a lot to see that the traffic is passing through Tor. (This is one
of my issues with the 3.0 series - no Network Map. I've had a look at
writing FF plugins but they seem beyond my ability, or at least require
more time than I have available at the moment.) I guess that some way to
internally ensure that it is indeed using Tor as well as a visual cue
would be nice.
-- 
kat


More information about the tor-talk mailing list