Information
ID: 677
PHID: PHID-TASK-2fdlzg6r62mcmijnr7zi
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal
Description
-
assume some example download link
** https://www.torproject.org/dist/torbrowser/6.5.2/tor-browser-linux64-6.5.2_en-US.tar.xz
** could be any
** forget that it’s on torproject.org -
assume the user has only a single open tab
-
assume the user knows he is pasting an https link into the url bar
-
assume https everywhere is not effective for that website
-
assume the website does not use HSTS
-
assume the website does not use HSTS preloading
-
assume the website does not use HTTP Public Key Pinning (HPKP)
In this situation there was a bug. The user has no way to know if the file is being downloaded over https over if sslstrip made the user download over plain http. It’s because one cannot see a padlock. It’s just empty. I have no bug report for reference handy.
Could you research please if this is still the case? And reference a bug report? @HulaHoop
Comments
HulaHoop
2017-05-20 04:59:36 UTC
marmarek
2017-05-20 10:16:51 UTC
Patrick
2017-05-22 13:47:59 UTC
Patrick
2017-05-24 21:10:44 UTC