Tor is not anonymous if the relays and hidden service work together. Given the cost of hosting and the significant funding put into this by the U.S. it's just a matter of probability before the deanon cannon aligns to a user.
Why is this an issue? Most websites support HTTPS. It should be required and impossible to disable. Other malicious actors could also be running such attacks even at a much smaller scale.
In this case, I think if the user makes an HTTP connection to a site, even if the site is HTTPS only, the attacker can intercept it, and man-in-the-middle it or pose as the legitimate site
edit: and, the reason it's an issue is not because these systems and networks don't have strong secure communication options available, but because if there is any potential security hole at all, some users will fall into it
The HSTS preload checking service doesn't support .onion URLs (not to mention you can only get EV certificates for .onion URLs).
However, Tor onion services cannot be MITM'd by an exit node, because you don't use exit nodes and the connection is end-to-end encrypted (and authenticated -- the URL is also the public key of the hidden service so you'd need their key to spoof the service). So arguably .onion URLs are far harder to attack in this manner than TLS, and the HSTS preload list isn't needed at all to protect .onion URLs.
I don't know, but your connection to a .onion service is encrypted before leaving your machine (no nodes see plain HTTP traffic). It's also authenticated as the domain is derived from the public half of the keypair.
There are a few ways one could perform this attack. SSL stripping would be the most transparent. The attacker could also proxy SSL with a different cert. If the cert was invalid the victim would at least be warned. HSTS should mitigate this threat.
> Why is this an issue? Most websites support HTTPS.
Tor Browser and TAILS try not to keep any trace of the websites you've visited.
That means no 'frequently visited sites' start page, no bookmarks, no address bar autocomplete from history, and no HSTS unless it's preloaded.
So if a tor user visits bitcoin-mixer.com there's a good chance they'll be typing the address in manually - and a good chance they'll omit the https:// at the start.
(Also, a great many bitcoin mixers, for some inexplicable reason, don't get themselves HSTS preloaded)
the attackers are intercepting the initial request which is a plain text tcp packet containing the https url. that https is then stripped from the url, turning the url into a plain http request.
i think the only way to prevent that from working is if the websites outright reject http requests.
The pattern is that their reviewers are really bad and the appeal process is almost nonexistent. Improving the quality would probably be a huge cost and they have no real reason to do that.
The point is that if browsers block the cert it will make the MITM impossible without them releasing thieir own browser. It will be much more clear for normal uaers that the custom browser can intercept internet traffic than that "security certificate". Also good luck getting that browser into the AppStore and PlayStore or making users install the apk.
The donations go for Mozilla’s other projects, not directly to Firefox developments. As far as I know there is no way to donate directly to Firefox development.
