Opened 7 years ago

Closed 3 years ago

#6098 closed enhancement (wontfix)

Add a hidden service to check.torproject.org

Reported by: proper Owned by:
Priority: Medium Milestone:
Component: Applications/Tor Check Version:
Severity: Normal Keywords:
Cc: mikeperry, proper, phobos, nickm, runa Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

TorBrowser gets it's version information from https://check.torproject.org/RecommendedTBBVersions and https://check.torproject.org/ is TBB's homepage.

For an adversary, it's granted, that every user of Tor Browser will visit that page. It must be too tempting to MITM that site and to spread some malicious content.

The SSL certificate authority system was recently compromised and is flawed by design. I suggest making check.torproject.org accessible through a hidden service.

Child Tickets

Change History (8)

comment:1 Changed 7 years ago by proper

Type: defectenhancement

Actually it's an enhancement.

comment:2 Changed 7 years ago by arma

We could make it accessible, but we should not make it the default way that TBB users get there. It's too much of a performance bottleneck as it is.

To address your CA concern, we could pin the CA for check.torproject.org in TBB.

Really, using a remote website like this is only a stopgap measure until we get Thandy going. Which we've been saying for a long time now, but the more we get distracted by, the longer it will be.

comment:3 Changed 7 years ago by phobos

Priority: criticalnormal

We would likely have to change the tordnsel and check codebases to look for connections from localhost or via the hidden service. The real plan is to get rid of both and figure out how to get the client to verify itself without hitting a single service somewhere on the Internet.

comment:4 in reply to:  2 Changed 7 years ago by phobos

Replying to arma:

To address your CA concern, we could pin the CA for check.torproject.org in TBB.

The cert itself is already pinned in Chrome and Firefox.

comment:5 in reply to:  3 ; Changed 7 years ago by proper

Replying to phobos:

We would likely have to change the tordnsel and check codebases to look for connections from localhost or via the hidden service. The real plan is to get rid of both and figure out how to get the client to verify itself without hitting a single service somewhere on the Internet.

Which ticket is that?

Replying to phobos:

Replying to arma:

To address your CA concern, we could pin the CA for check.torproject.org in TBB.

The cert itself is already pinned in Chrome and Firefox.

Mike said there are not pinned in Firefox.

And they are not pinned in Tor Browser.

https://trac.torproject.org/projects/tor/ticket/3555

comment:6 in reply to:  5 Changed 7 years ago by runa

Cc: runa added

Replying to proper:

Mike said there are not pinned in Firefox.

Firefox does not pin certs, but does enforce HSTS for *.torproject.org in Firefox Beta. I'd like to see us pin the cert in the Tor Browser, if possible.

comment:7 in reply to:  3 Changed 6 years ago by arlolra

We would likely have to change the tordnsel and check codebases to look for connections from localhost or via the hidden service.

This is done. Setting up a hidden service should now be possible.

comment:8 Changed 3 years ago by arlolra

Resolution: wontfix
Severity: Normal
Status: newclosed

TorBrowser gets it's version information from ​https://check.torproject.org/RecommendedTBBVersions and ​https://check.torproject.org/ is TBB's homepage.

Neither of these are the case anymore.

Note: See TracTickets for help on using tickets.