Opened 2 years ago

Closed 2 years ago

#26274 closed defect (implemented)

Deprecate check.tpo and move that functionality to the client

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Right now, every time Tor browser starts up, it loads the same page. This is a risk for a huge watering hole attack. Compromising that one subdomain and serving an exploit will reliably compromise ~100% of Tor users. This would only take a single rogue CA (due to HPKP going away), and the compromise of one of any number of registrars. If the check is done locally client-side, such an exploit would be significantly more difficult and would have to exploit the a simple API.

Unlike the automatic updater which verifies a signature, the only signature relied upon by check.tpo is the TLS certificate. The web PKI is not ideal for protecting a single centralized page that is automatically opened by every Tor user, and only by Tor users.

Child Tickets

Change History (2)

comment:1 Changed 2 years ago by cypherpunks

Right now, every time Tor browser starts up, it loads the same page.

It fires up about:tor and not

comment:2 Changed 2 years ago by sysrqb

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team
Resolution: implemented
Status: newclosed

Right. Tor Browser does not load at startup by default. about:tor is the default homepage and it is a local page. The attack, as described, seems very difficult.

See #7494

Note: See TracTickets for help on using tickets.