[mimi89999]

Why is this an issue? Most websites support HTTPS. It should be required and impossible to disable. Other malicious actors could also be running such attacks even at a much smaller scale.

[FatalLogic]

In this case, I think if the user makes an HTTP connection to a site, even if the site is HTTPS only, the attacker can intercept it, and man-in-the-middle it or pose as the legitimate site

edit: and, the reason it's an issue is not because these systems and networks don't have strong secure communication options available, but because if there is any potential security hole at all, some users will fall into it

[cyphar]

Which is a problem that HSTS and the HSTS preload list[1] solve.

[1]: https://hstspreload.org/

[remram]

Can you get a tor hidden service in the preload list?

[cyphar]

The HSTS preload checking service doesn't support .onion URLs (not to mention you can only get EV certificates for .onion URLs).

However, Tor onion services cannot be MITM'd by an exit node, because you don't use exit nodes and the connection is end-to-end encrypted (and authenticated -- the URL is also the public key of the hidden service so you'd need their key to spoof the service). So arguably .onion URLs are far harder to attack in this manner than TLS, and the HSTS preload list isn't needed at all to protect .onion URLs.

[crtasm]

I don't know, but your connection to a .onion service is encrypted before leaving your machine (no nodes see plain HTTP traffic). It's also authenticated as the domain is derived from the public half of the keypair.

[mrslave]

Good explanation.

Firefox has had `dom.security.https_only_mode` for a while and it's amazing.

[sabellito]

How would that work? To my understanding https prevents mitm attacks.

[thrwaeasddsaf]

That assumes you're using https in the first place. Try enter openbsd.org in your browser and see whether you get the https site or not.

[crtasm]

I get the HTTPS site, thanks to the HTTPS Everywhere extension.

[batch12]

There are a few ways one could perform this attack. SSL stripping would be the most transparent. The attacker could also proxy SSL with a different cert. If the cert was invalid the victim would at least be warned. HSTS should mitigate this threat.

[wizzwizz4]

It does. But it doesn't protect against:

User → HTTP connection → [INTERCEPTION] → HTTPS connection → website.

[mimi89999]

Doesn't HTTPS Everywhere solve this problem?

[michaelt]

> Why is this an issue? Most websites support HTTPS.

Tor Browser and TAILS try not to keep any trace of the websites you've visited.

That means no 'frequently visited sites' start page, no bookmarks, no address bar autocomplete from history, and no HSTS unless it's preloaded.

So if a tor user visits bitcoin-mixer.com there's a good chance they'll be typing the address in manually - and a good chance they'll omit the https:// at the start.

(Also, a great many bitcoin mixers, for some inexplicable reason, don't get themselves HSTS preloaded)

[em-bee]

the attackers are intercepting the initial request which is a plain text tcp packet containing the https url. that https is then stripped from the url, turning the url into a plain http request.

i think the only way to prevent that from working is if the websites outright reject http requests.

[hartator]

You only one or two to not notice the http instead of https to make it a profitable attack.