undefined | Better HN

0 pointsbauruine4y ago0 comments

The only attacks an exit alone can do is sniff all traffic and modify the traffic. There are constant checks done by the Torproject to detect bad exits that modify traffic but sniffing is not detectable of course. But both of those attacks are mitigated by https which most sites support nowadays. Firefox and therefore the Tor Browser also has an option to disable http. [0] And using an .onion service removes this attack vector also.

[0]: https://support.mozilla.org/en-US/kb/https-only-prefs

0 comments

8 comments · 2 top-level

michaelt4y ago· 5 in thread

> But both of those attacks are mitigated by https which most sites support nowadays.

Unfortunately, not as much as you might hope.

For good reasons, the Tor browser doesn't store your browsing history - so there's no 'recently visited sites', no address bar autocomplete, no cached redirects, no cached HSTS, and no colour-changed 'visited' links.

So if you're visiting a site that isn't HSTS-preloaded - for example bitcoinknots.org - you'd better remember to type in the https:// explicitly, as that's your sole protection against getting MITMed.

vageli4y ago

> So if you're visiting a site that isn't HSTS-preloaded - for example bitcoinknots.org - you'd better remember to type in the https:// explicitly, as that's your sole protection against getting MITMed.

>Tor Browser already comes with HTTPS Everywhere, NoScript, and other patches to protect your privacy and security.

https://www.torproject.org/download/

ryeights4y ago

Caveat: HTTPS Everywhere relies on a manual whitelist of HTTPS-enabled sites. If the website you’re visiting isn’t popular enough to be on their list, you’re out of luck.

michaelt4y ago

HTTPS Everywhere doesn't have a working rule for bitcoinknots.org

And more broadly, neither HSTS preloading or HTTPS Everywhere include a list of every single site on the internet.

1 more reply

aendruk4y ago

I’m surprised to hear it’s not just using the native HTTPS-only mode now.

rsync4y ago

"... you'd better remember to type in the https:// explicitly ..."

You should use a slug[1] if you need assurance that you’re staying on your vpn/protocol/exit.

It would be very simple to create a "tor only" network slug.

[1] https://john.kozubik.com/pub/NetworkSlug/tip.html

RL_Quine4y ago· 1 in thread

If they're not checking everything, any sort of non-general modification of traffic will obviously go completely unnoticed. The bad exit flag really is only ever going to catch the most obvious, ham fisted bad behaviour.

bauruineOP4y ago

You're correct this isn't really a solution but Tor Browser has already merged https only mode [0] so this should become less of an issue in the near future.

[0]: https://gitlab.torproject.org/tpo/applications/tor-browser/-...

j / k navigate · click thread line to collapse