Opened 3 years ago

Last modified 9 months ago

#19850 new enhancement

Disable Plaintext HTTP Clearnet Connections

Reported by: miserlou2 Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-security, https-everywhere
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I think that the Tor Browser Bundle should aim to disable allowing connections to plaintext HTTP websites out the box by the end of the year 2016.

Content injection into MITM'd clearnet HTTP connections is the number one security threat to Tor users. It's incredibly easy to do and I'm certain that it happens all the time. (You can reproduce this easily by going to http://example.com in the latest TBB. https://example.com is completely valid, but the connection to the plaintext version is made).

Even without direct content injection, it's the obvious weak point in the overall privacy that Tor provides for a common TBB user.

It's 2016 - the vast majority of websites now serve pages over SSL. Thanks to projects like Let's Encrypt, it's now completely easy and free to run SSL out of the box with any important web server software package - there's really no excuse not to be running HTTPS.

Rather than making this change immediately, we could announce the intention to release the change by the end of the year, thereby giving any stragglers time to add SSL to their websites. We could look at how browsers like Chrome and Firefox degrade deprecated TLS ciphers in successive releases as an example - first a visual indication, then a confirmation warning, then a total block.

What do you think?

Child Tickets

Change History (4)

comment:1 Changed 3 years ago by f451022

who about HTTPS Everywhere?
https://www.eff.org/https-everywhere

comment:2 Changed 3 years ago by bugzilla

Keywords: tbb-security added; security https ssl removed
Version: Tor: 0.2.8.6

comment:3 in reply to:  1 Changed 21 months ago by cypherpunks

Replying to f451022:

who about HTTPS Everywhere?
https://www.eff.org/https-everywhere

It is not reliable. Should we really move this task to HTTPS Everywhere?

comment:4 Changed 9 months ago by traumschule

Keywords: https-everywhere added
Note: See TracTickets for help on using tickets.