Opened 4 years ago

Closed 4 years ago

#14097 closed defect (fixed)

check.torproject.org is available over http

Reported by: colons Owned by: Sebastian
Priority: Low Milestone:
Component: Webpages/Website Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I think it should redirect to https, although I honestly can't immediately think of anything useful you could achieve by MITMing it and lying to someone south of you.

If someone is just typing 'check.torproject.org' behind someone who wants to wrongly convince them that they are or are not using tor, it doesn't really matter if the actual site is served over http or not; they can just not serve the redirect that you do. If someone bookmarks it, though, they start to be vulnerable.

Might be intentional, though; do you suspect there are be scripts that don't support https hitting it?

Child Tickets

Change History (1)

comment:1 Changed 4 years ago by Sebastian

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.