Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#15820 closed enhancement (implemented)

'Check' site should have the YES/NO answer in the title + 2 other improvement suggestions

Reported by: yurivict271 Owned by: arlolra
Priority: Medium Milestone:
Component: Applications/Tor Check Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Currently title always has the question "Are you using Tor?"

It is very cheap and easy to make it much more informative by putting and answer there:

  • YES, You are using Tor


  • NO, You are not using Tor

This will be great for people who are on slow connections and have to wait for many seconds for an answer, so they can switch to another page and still see the answer.

Additionally, for people with JavaScript enabled, you can also easily switch favicon to red one when the answer is NO, as a safety feature to catch attention more easily:

(function() {
    var link = document.createElement('link');
    link.type = 'image/x-icon';
    link.rel = 'shortcut icon';
    link.href = '';

Additionally, again for people with JavaScript enabled, you can add the ability to automatically recheck every minute for an hour. When JavaScript is enabled, you don't need to reload the whole page, instead you can just fetch the boolean answer to save bandwidth, and then switch the page dynamically. So it will probably consume only 2 times the bandwidth, not 60 times, when it will update 60 times.

Child Tickets

Change History (9)

comment:1 Changed 5 years ago by arlolra

Resolution: implemented
Status: newclosed

Thanks for reporting.

I've implemented a few of your suggestions in,

We're now serving a different favicon in a link element (<link rel="icon" type="image/x-icon" href="" />) based on the result, which doesn't require client-side js.

And the title text is now the familiar "Congratulations. This browser is configured to use Tor." I know that's not exactly what you're requesting, but hopefully it'll suffice. The bonus being that it's consistent with the page and already available in all the translated languages.

I'm less convinced about the third one. People should be using Tor Browser, not relying on check to tell if they're using tor or not.

comment:2 Changed 5 years ago by yurivict271

I'm less convinced about the third one. People should be using Tor Browser, not relying on check to tell if they're using tor or not.

This is just a wild idea. Not everyone is using the tor browser. Some may rely on Tails, where you can probably run the regular browser, some rely on Whonix, and some on Qubes, or other sort of virtual machines. Since setup can be complex, and security is important, the third idea was meant to be an easy assurance for such people. Assurance is always good, makes people more certain that things are the way they are supposed to be.

comment:3 Changed 5 years ago by arlolra

I suppose. There's also the tradeoff that we'll need to deliver both the additional js and content strings to display if the state changes. That'll bloat everyone's payload for the small minority of people using check in the scenarios you've described. It won't be much, but think about the slow connections you've described above.

comment:4 Changed 5 years ago by yurivict271

No, this isn't much.
Html only gets these lines:

  <script src="jquery.js"></script>
  <script src="reload.js"></script>
  <script>$(document).ready(function() {reloadAfterTimeout(60)})</script>

And separate reload.js might look like this:

  function reloadAfterTimeout(cnt) {
    setTimeout(function() {
        url: "check",
        context: document.body,
        success: function(json) {
          // update document with the current TOR status
          $('#yesNoText').innerHTML = json[0] ? "You are using TOR" : "You are not using TOR"
          document.title = json[0] ? "You are using TOR" : "You are not using TOR"
          $('#favicon_link')[0].href = json[0] ? 'favicon-success.ico' : 'favicon-not-tor.ico'
          // resubmit
          if (cnt > 0)
    }, 60000)

It will only be loaded when the user has JavaScript enabled.
Json response will be one of these:

* [true]
* [false]

The JavaScript use in itself in general isn't the security threat. Tor browser usually disables it just in case.

Last edited 5 years ago by yurivict271 (previous) (diff)

comment:5 Changed 5 years ago by yurivict271

By the way, it is beneficial to have the URL like this: http://check.torproject.orig/check that will only return JSON true or false. People who just want to check this boolean value can use it.

comment:7 Changed 5 years ago by yurivict271

yes :)

comment:8 Changed 5 years ago by arlolra

You're right that adding external scripts to the page isn't going to significantly increase the size. Good point. Though, you'd need to include them at the bottom so that the browser doesn't try to load them in parallel. Modern browsers parse the html on the fly and to try and fetch external resources early.

An easy option might be to just make XMLHttpRequests to that API endpoint and determine if there's been a state change. If so, do a window.location.reload().

However, something we need to think about is how does an adversary use the knowledge that you're making a request to check each minute to their advantage. We could randomize the timeout interval, but even in that, I'm still skeptical.

comment:9 Changed 5 years ago by yurivict271

All good points!

Note: See TracTickets for help on using tickets.