[HTTPS-Everywhere] ssl observatory without torbutton
Ulrich Viefhaus
Ulrich.Viefhaus at FernUni-Hagen.de
Fri Jan 3 02:05:59 PST 2014
Hello Yan,
thanks for your reply. It seems to work and tcpdump shows the torrified
traffic.
I always thought that torbutton is needed in addition to tor for this
extension to work, because the German mouse over hint of the option says
so. Maybe this can be changed so there is no confusion in future
releases.
Greetings,
Ulrich
Am Donnerstag, den 02.01.2014, 15:53 -0800 schrieb Yan Zhu:
>
> On 01/01/2014 12:34 PM, Ulrich Viefhaus wrote:
> > Hello everyone and a happy new year!
> >
> > I'm using https-everywhere with iceweasel under debian wheezy. I
> > would like to use the ssl observatory function of the plugin but
> > the torbutton extension is no longer supported. I'm not quite
> > comfortable with using an unsupported security relevant program
> > (and debian has torbutton only in sid which tries to kill my
> > system).
>
>
> Hi Ulrich,
>
> Happy New Year to you too!
>
> SSL Observatory can send requests over Tor if Tor is running on your
> system even if Torbutton is not installed. At runtime, it tries to
> detect whether Tor is running [1]; if so and you've checked the "Use
> observatory only when Tor is running" preference, it will send requests
> over Tor.
>
> [1] See testProxySettings in src/components/ssl_observatory.js:
> https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/components/ssl-observatory.js#l720.
> Note that the request to check.torproject.org gets sent through the Tor
> SOCKS proxy if possible:
> https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/components/ssl-observatory.js#l839.
> If Torbutton isn't installed and you haven't set custom proxy settings,
> SSL Observatory assumes that tor-socks will use localhost:9050.
>
> I would verify this by running tcpdump on 9050 while SSL Observatory
> is on.
>
> >
> > Now my questions: Which data is sent to the observatory from me if
> > I don't use tor for submitting the certificates? My IP, the site I
> > was looking and the certificate? Is the IP stored anywhere?
>
> From submitChain in src/components/ssl_observatory.js, it looks like we
> get the certs, the hostname of the site (not the full URL), and the IP
> address of the site. The SSL Observatory server sees your true IP
> address if you're not using Tor. I'm not 100% sure if it gets logged
> or crypto-logged
> (https://git.eff.org/?p=cryptolog.git;a=blob;f=README;h=7bbdc5440f6c3a8a6d08315483dac104bfbbfc16;hb=c046709553fbd3fce7a6c99da8b37f0bf054364a),
> but I imagine that in either case, we try to clear IP logs as often as
> possible if we store them at all.
>
> You can find EFF's privacy policy at https://www.eff.org/policy.
>
> > The only disadvantage of not using torbutton for the observatory is
> > the possibility of generating a list of the sites I visited until
> > my IP changes, right?
>
> That sounds correct if you replace "torbutton" with "tor".
>
> Cheers,
> Yan
>
> > Am I missing something?
> >
> > Greetings, Ulrich
> >
> > _______________________________________________ HTTPS-Everywhere
> > mailing list HTTPS-Everywhere at lists.eff.org
> > https://lists.eff.org/mailman/listinfo/https-everywhere
> >
>
More information about the HTTPS-Everywhere
mailing list