[tbb-bugs] #13747 [Tor Browser]: Block Mixed Content on .onion Addresses
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Nov 13 00:44:35 UTC 2014
#13747: Block Mixed Content on .onion Addresses
-------------------------+--------------------------
Reporter: legind | Owner: tbb-team
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Keywords: | Actual Points:
Parent ID: | Points:
-------------------------+--------------------------
The .onion URL for a given THS instance is a fingerprint of the public
key, thus ensuring authenticity of the service. For this reason, some
assume the same security assurances for .onion addresses as they would for
https, with the added assurances that hidden services provide. For
instance, the major browsers have chosen to not load http resources when
accessing an https site, blocking mixed content. However, there is no
protection against mixed content being loaded in the TBB for .onion
addresses when they include resources from http URLs. For any .onion URL
which includes http resources, an attacker controlling an exit node could
perform a Man in the Middle attack, providing malicious javascript which
modifies the content of the DOM.
One would hope that an http THS would never include remote resources from
an http site if they would like to protect their users. In fact, one
would hope that a THS would never load any resources at all from a source
they do not control. But this is no guarantee that they won't. It seems
like a good security measure to disallow http resources from being loaded
in TBB.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13747>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list