A Tor Web Service For Verifying Correct Browser Configuration

Jens Kubieziel maillist at kubieziel.de
Sun Mar 23 15:45:57 UTC 2008


* Robert Hogan schrieb am 2008-03-16 um 21:25 Uhr:
>   3. Tor Connectivity Test Image
> 
>   <IMG src="http://torproject.org/[uniquesessionid]-torlogo.jpg" alt="If you

I woould suggest using HTTPS here. Assuming Alice has a misconfigured
Tor-Software and mallory wants to trick her. He can set up a DNS
wildcard and redirect the traffic from point 1 to his servers. They send
the appropriate image. He redirects
http://www.torproject.org/[uniquesessionid].jpg to the appropriate image
and does this also with the above image. So Alice sees a website which
basically tells her that everything is fine.

When the last point uses HTTPS, Mallory can use some MITM, but normally
Alices browser should tell her that something isn't going well here.

Besten Gruß

-- 
Jens Kubieziel                                   http://www.kubieziel.de
FdI#212: Qualifizierter Support
Ein Schuldiger kann benannt werden. (Martin Schmitt)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20080323/e687e423/attachment.pgp>


More information about the tor-dev mailing list