Misleading Help
In your Tor Browser User Manual under Onion Services you state:
"All traffic between Tor users and onion services is end-to-end encrypted, so you do not need to worry about connecting over HTTPS. "
-
This is completely FALSE! The exit node to the user is Clear Text and all usernames and passwords are visible to the exit node. It is surprising that some of you do not know about this problem. HTTPS should be encouraged. It is common for governments to run several tor nodes and to monitor communication when they are the exit node. You can find details about the problem in the link below and also from several other sources.
-
Using HTTPS from an onion service with a self-signed certificate should be permitted without all the ridiculous messages by the tor browser when establishing a connection. Tor onion addresses are inherently certified because it is statistically impossible to impersonate a correctly addressed onion site. The correction should advise the user and import the certificate as a default, not as an exception. This way you will encourage safe usage by both browser user and onion service provider. For non-onion sites the existing code is fine.
I hope to see these corrections in a future update.
Thank you.
Please see the following article and forward it to others in your group who are not informed about the weaknesses of using Tor without HTTPS.
https://en.wikipedia.org/wiki/Onion_routing
Exit node vulnerability[edit]
Although the message being sent is transmitted inside several layers of encryption, the job of the exit node, as the final node in the chain, is to decrypt the final layer and deliver the message to the recipient. A compromised exit node is thus able to acquire the raw data being transmitted, potentially including passwords, private messages, bank account numbers, and other forms of personal information. Dan Egerstad, a Swedish researcher, used such an attack to collect the passwords of over 100 email accounts related to foreign embassies
Trac:
Username: RogerMont