Tor Onion links shown as 'Plaintext' on Mixed Content Outbound Links page

[jamieweb]

If a scanned page has outbound Tor Onion Hidden Service (.onion) links on it, these will be marked in orange as 'Plaintext' in the report.

While these are technically HTTP, the encryption and integrity is done using the Tor protocol, so they should not be considered 'Plaintext'. Perhaps they could be marked in green as 'Onion'?

I guess that theoretically a DNS spoofing attack could allow these HTTP links to be used maliciously, however this is unlikely in most cases.

Similar considerations should also be made for other non-traditional TLDs, such as .i2p and .tor (for Onion Name System).

Thanks

[ivanr]

Hi Jamie, do you have an example where this happens that you can share?

[jamieweb]

Hi,

If you scan my website jamieweb.net and go onto the "Mixed Content" tab in the sidebar, it will show:

Both of the orange links are my Tor Onion services.

Please let me know if you need anything else.

Thanks

[stefanb]

You could get the certificates for the .onion sites. Plain Tor is not plaintext indeed, but is protected using only 1024 bit keys, which allowed you to bruteforce such a friendly name for your hidden service (not 100% sure for the second, longer .onion hostname).

[jamieweb]

As far as I know, it's not possible/easy to get a signed TLS certificate for Tor Hidden Services except for EV certificates from Digicert. These are not common practise though, and very few Hidden Services actually use them.

However, that is a very good point regarding the 1024 bit keys used in the Tor Onion v2 specification. I brute-forced that 8 character vanity address using 5 Raspberry Pi's running for around a month - as you can imagine with much more computing power, those 1024 bit keys are no longer sufficient.

The newer Onion v3 specification was added to Tor stable in Jan 2018, which is what the longer Onion address is. Onion v3 uses much stronger cryptography, however so far the adoption is low.

[stefanb]

Yes, Let's Encrypt is not supporting it yet, and it is not even in their upcoming features list, but they are aware of demand and things are moving bit by bit... https://github.com/certbot/certbot/issues/91 . If tor v3 catches on it might get the gears going faster.

[lilyanatia]

v3 hidden services are protected using ed25519 keys, not 1024-bit RSA. while it makes sense to consider v2 onions insecure, v3 ones are as secure as any site with a DV certificate.

just fyi, it only takes a few minutes to find 8-character v2 vanity addresses on a single Vega FE GPU.