Jump to: navigation, search

Template:Secure tor browser downloads

Preventing SSLStrip Attacks[edit]

If you click or paste a download link, make sure it is https://. The s in https:// stands for "secure".

Users often mistakenly believe that a secure, green padlock and a https:// URL makes any download from that particular website secure. This is not the case. The website might be redirecting to http.

In fact, the user may be vulnerable to an attempted SSLstrip attack if a link is pasted or typed into the address bar without the https:// component (e.g. torproject.org instead of https://torproject.org). [1]

In this instance, the user cannot actually confirm if the file is being downloaded over https://. Potentially, a SSLstrip attack might have made the download take place over plain http. The reason is the user cannot see a padlock; it just appears empty.

To avoid the risk of an SSLstrip attack or similar threats, users should always explicitly type or paste https:// in the URL / address bar. The SSL certificate button or padlock will not appear in this instance, but that is nothing to be concerned about. Unfortunately, few users follow this sage advice; instead most mistakenly believe pasting or typing www.torproject.org into the address bar is safe.

Other Precautions[edit]

For even greater safety, where possible download files from hidden services (.onion addresses). Greater security is provided by hidden service downloads, since: the connection is encrypted end-to-end (with PFS), targeting of individuals is difficult, and adversaries cannot easily determine where the user is connecting to or from.

Also, if files are already available in repositories, then users should prefer mechanisms which simplify and automate software upgrades and installations (like apt-get functions), rather than download Internet resources. Avoid installing unsigned software and be sure to always verify key fingerprints and digital signatures of signed software from the Internet, before importing keys or completing installations.

Finally, consider using multiple Whonix-Workstations when downloading and installing additional software, to better compartmentalize user activities and minimize the threat of misbehaving applications.
  1. And that website does not: