[HTTPS-Everywhere] ssl observatory without torbutton

Yan Zhu yan at eff.org
Thu Jan 2 15:53:05 PST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On 01/01/2014 12:34 PM, Ulrich Viefhaus wrote:
> Hello everyone and a happy new year!
> 
> I'm using https-everywhere with iceweasel under debian wheezy. I
> would like to use the ssl observatory function of the plugin but
> the torbutton extension is no longer supported. I'm not quite
> comfortable with using an unsupported security relevant program
> (and debian has torbutton only in sid which tries to kill my
> system).


Hi Ulrich,

Happy New Year to you too!

SSL Observatory can send requests over Tor if Tor is running on your
system even if Torbutton is not installed. At runtime, it tries to
detect whether Tor is running [1]; if so and you've checked the "Use
observatory only when Tor is running" preference, it will send requests
over Tor.

[1] See testProxySettings in src/components/ssl_observatory.js:
https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/components/ssl-observatory.js#l720.
Note that the request to check.torproject.org gets sent through the Tor
SOCKS proxy if possible:
https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/components/ssl-observatory.js#l839.
If Torbutton isn't installed and you haven't set custom proxy settings,
SSL Observatory assumes that tor-socks will use localhost:9050.

I would verify this by running tcpdump on 9050 while SSL Observatory
is on.

> 
> Now my questions: Which data is sent to the observatory from me if
> I don't use tor for submitting the certificates? My IP, the site I
> was looking and the certificate? Is the IP stored anywhere?

- From submitChain in src/components/ssl_observatory.js, it looks like we
get the certs, the hostname of the site (not the full URL), and the IP
address of the site. The SSL Observatory server sees your true IP
address if you're not using Tor. I'm not 100% sure if it gets logged
or crypto-logged
(https://git.eff.org/?p=cryptolog.git;a=blob;f=README;h=7bbdc5440f6c3a8a6d08315483dac104bfbbfc16;hb=c046709553fbd3fce7a6c99da8b37f0bf054364a),
but I imagine that in either case, we try to clear IP logs as often as
possible if we store them at all.

You can find EFF's privacy policy at https://www.eff.org/policy.

> The only disadvantage of not using torbutton for the observatory is
> the possibility of generating a list of the sites I visited until
> my IP changes, right?

That sounds correct if you replace "torbutton" with "tor".

Cheers,
Yan

> Am I missing something?
> 
> Greetings, Ulrich
> 
> _______________________________________________ HTTPS-Everywhere
> mailing list HTTPS-Everywhere at lists.eff.org 
> https://lists.eff.org/mailman/listinfo/https-everywhere
> 

- -- 
Yan Zhu                           yan at eff.org
Technologist                      Tel  +1 415 436 9333 x134
Electronic Frontier Foundation    Fax  +1 415 436 9993
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJSxfveAAoJENC7YDZD/dnsb08IAIzzUjtb9Y/Cg4OkcwZq6UCx
4XA7q0jZvshKbe8fYCOIu6vnPymIgJETZSvPhUOtOdCh6wl2L1zEc1UyTbzH6Ron
e+H2oaEt7BuoliYr3hlRr+qJShrNwQuYYSTS4P0FuOQotCEsDj86bU0x/dkQhl20
7hds+rMd5nNBSh6i+AkFKACy529Of3Y04OYbH59X8+WDFvXpAuEeDUA3QbhEnYbF
xyuZ1jbWBBumqeerNWG5yc/p0MOaF0Ej+i72ZMvZt0P8bquzHq39QqaDHAYXX/2t
1vV8dtwM5kUCP3DRBJeZ1SBjIzhU65PcMEnlCoXpom+f4Q+mCHz98cn4KRGbEmc=
=V77I
-----END PGP SIGNATURE-----

More information about the HTTPS-Everywhere mailing list