[tor-dev] [Proposal] Obfuscating the Tor Browser Bundle initial download

David Fifield david at bamsoftware.com
Mon May 9 21:54:42 UTC 2016


On Mon, May 09, 2016 at 09:23:20PM +0000, William Waites wrote:
> 
> Blake Hadley <moosehadley at gmail.com> writes:
> >
> > The environment requires an HTTPS proxy to reach the World Web Web.
> >
> > Do HTTP proxies inherently create a situation similar to MITM?
> 
> Yes, that is exactly what they do. If your web browser isn't nagging you
> all the time with "hey this certificate is untrusted" then a signing
> certificate will have had to be installed in your computer. This lets
> your employer decrypt all of your HTTPS traffic, inspect it, and
> reencrypt it. Unless you understand exactly what is happening and what
> to do about it, best to avoid using the Internet from there altogether.

Well, an "HTTPS proxy" doesn't have to be a TLS interception device.
When I think "HTTPS proxy", I think of an ordinary HTTP proxy using the
CONNECT method to support TLS. In that case, the proxy does not get to
see plaintext, which includes the path part of the URL. The proxy can
tell what domain name you are connecting to, but not what document you
are requesting.

In either case, there's no benefit to obfuscating the download names.


More information about the tor-dev mailing list