On Tue, Mar 28, 2017 at 11:31 AM, Donncha O'Cearbhaill <donn...@donncha.is> wrote: > The Tor bad-relay team regularly detects malicious exit relays which are > actively manipulating Tor traffic. These attackers appear financial > motivated and have primarily been observed modifying Bitcoin and onion > address which are displayed on non-HTTPS web pages. > > Increasingly these attackers are becoming more selective in their > targeting. Some attackers are only targeting a handful of pre-configured > pages. As a result, we often rely on Tor users to report bad exits and > the URLs which are being targeted. > > In Firefox 51, Mozilla started to highlight HTTP pages containing > password form fields as insecure [1]. This UI clearly and directly > highlights the risk involved in communicating sensitive data over HTTP. > > I'd like to investigate ways that we can extend a similar UI to Tor > Browser which highlight Bitcoin and onion addressed served over HTTP. I > understand that implementing this type of Bitcoin and onion address > detection would be less reliable than Firefox's password field > detection. However even if unreliable it could increase safety and > increase user awareness about the risks of non-secure transports. > > There is certainly significant design work that needs to be done to > implement this feature. For example, .onion origins need be treated as > secure, but only if they don't included resources from non-secure > origins. We would also need to make the onion/bitcoin address detection > reliable against active obfuscation attempts by malicious exits. > > https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/
Search OnionGatherer on this list for ui stuff. _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev