Whonix Wiki Download Docs News Support Tips Issues Contribute DONATE

https exit node SSL stripping?

When I set Tor Browser to Safest mode and go to websites that I know for a fact have https SSL certificates, very often (like 40% of the time) it will tell me that it’s HTTP only, so I hit proceed.

Then once the site loads, it has a lock and appears to be a legit cert.

Is this SSL stripping of malicious exit nodes? Why is it saying no HTTPS?

What probably happens is HTTPS only mode attempts a connection on :443 (HTTPS) regardless of protocol specified and in event of connection failure it prompts the opportunity to downgrade to HTTP.

In experience either reloading to attempt another connection or new identity to connect through different exit-node usually solves the problem.

Thank you

1 Like

I see, so you’re saying that some websites may not use Port 443? and that’s why it refuses?

why would a different identity change the protocol? I thought all tor exit nodes are doing the same thing

Same issue should happen when using Tor Browser outside of Whonix?

Not quite. Connection attempts or a majority of packets could be lost that can cause the client-browser to attempt fall-back to HTTP protocol. It is entirely possible in note of this for exit-nodes to entice clients to downgrade to HTTP for malicious purposes but could also happen without elements of malice due to connection/packet-loss between the client, intermediate nodes and the destination server.

If any of the nodes are having issues forcing a new identity may use a different circuit or exit-node that may not have the same issue leading to client-side downgrade of protocol. Oftentimes attempting a reload without new-identity may create a new connection in existing circuit that may work correctly if the fault was intermittent and not malice.

Have reproduced this issue with Tor Browser outside of Whonix. In general if a majority of TLS connections to clear-net sites work correctly any failures are either network faults causing client-side downgrade or poor attempts at protocol-downgrade by attackers. If new identity works to ‘resolve’ the problem would not be too concerned about it.

Thank you

Are there any well known websites (lets say facebook.com) where this is often happening?

Sometimes if the archive.org server is slow browsing snapshots from the wayback machine can presumably cause connection timeouts due to the server not responding which might cause the browser to prompt fallback.

But seeing how it is intermittent, is not an automatic downgrade and usually goes away after a reload or new circuit not too concerned about it.

Thank you