Is it safe to access HTTP sites from Tor?

Question

Somewhere I read that you should only open HTTPS links on Tor because otherwise your ISP for example could read the webpages you visit.

I searched on the subject and somewhere else I read that the Tor network itself provides enough built-in encryption.

So which of those is true - is it safe to open normal http sites on Tor?

Also what about .onion ending links?

Answer 1

No, it is not safe. But the reasoning your read is wrong.

When you use Tor, the connection between you and the Tor network is encrypted, so your ISP can not eavesdrop. But when you access a normal HTTP website with Tor, the connection between the exit node and the target website is unencrypted. That means the exit node can eavesdrop and manipulate the whole connection. You don't know if the exit node (and its ISP) is trustworthy, so this can be very dangerous.

This does not apply to hidden services (.onion websites). In that case the encryption is end-to-end and another HTTPS layer is redundant (and counter-productive because one purpose of HTTPS is to de-anonymize the server).

Answer 2

It depends. Specifically, it depends on the type of data you are accessing and your threat model.

What protection does HTTPS provide with Tor?

Here is a breakdown of some potential adversaries at the information available to them at each point. You will note that HTTPS only provides protection in the final step of the connection (between the exit node of the Tor circuit and the destination server):

• Your Home Network and ISP: Tor provides strong encryption within the network. Potential adversaries on your home network or at your ISP can see that you are using Tor, but they cannot see the websites you are visiting.
• The Tor Network: The traffic within the Tor network has multiple layers of encryption such that only the last node (the exit node) in your Tor circuit can see the traffic you send to the destination.
• The Exit Node: At this point, the traffic exits Tor; it can be monitored by the Tor node itself or that node's ISP. This is where HTTPS becomes important as it will prevent snooping on the data contained in your transaction (passwords, the specific pages you visit, etc.).

There is an excellent interactive diagram that summarizes the above. The diagram allows you to enable both Tor and HTTPS to see what information can be hidden from different adversaries.

Do I always need HTTPS?

The short answer is: no, but you should use it if possible. HTTPS provides additional protection for the data transferred between the exit node and the destination server. It depends on the data you are sending or accessing and who you want to prevent from seeing that data.

For example, if you are reading a news website without HTTPS, it becomes possible for the Tor exit node and their ISP to see that someone is reading a specific article on a specific news website. However, they will not know who you are. If you add in HTTPS, they can see the name of the news website you are visiting, but not the specific page you are visiting.

So, if HTTPS is not available on some websites, the exposure is still limited. But, if you want to send information like usernames, passwords, or other identifying information, be sure to use HTTPS.

Does HTTPS provide other protection?

Yes. There is one more point that needs to be addressed: HTTPS provides protection against malicious page modification.

When you connect to a website over an unencrypted connection, it is possible for the exit node, the exit node's ISP, or some government agencies with the necessary access to modify the traffic in transit. This could allow them to inject other content into the page including advertising or browser exploits. They could also change the content of the page itself (plant fake news stories, etc.).

Using HTTPS makes this attack much more difficult as it requires performing a man in the middle attack on your connection. Also, when these types of attacks are performed, they are much more likely to be noticed.

What about hidden services (onion websites)?

The traffic to these services is automatically encrypted by Tor. In fact, the name of the service itself (the .onion address) serves an important role in establishing the encrypted connection.

However, some hidden services do use HTTPS. Facebook is one example of this. They use the SSL certificate to provide evidence that you are connecting to legitimate Facebook servers, not an impostor website.

Is additional protection available?

There are a few browser add-ons that can be installed.

The Tor Browser Bundle already includes:

• HTTPS Everywhere automatically enables HTTPS when the destination website is on a list of websites that are known to support encryption.
• NoScript allows you to disable JavaScript, which can provide additional protection against injected JavaScript.

There are some other choices that an advanced user might want to enable as well. However, adding these to the Tor Browser Bundle might make you more unique compared to other Tor users, so only install these if you know what you are doing:

• Request Policy provides additional protection against attacks that insert iframes or other remote content into your connection.

The last line of defense is human vigilance. Be observant about anything suspicious. You never know what dangers might be lurking in the shadows.

Answer 3

You still need HTTPS since anyone on the Tor exit nodes can read your HTTP traffic.

E.g. Tor provides protection so your ISP would have difficulty reading your traffic but it is not end to end encryption. You cannot be sure who /where your exit is or who controls it and they would still have the ability to intercept your unencrypted traffic

See attached diagram to clarify: http://www.flickr.com/photos/albill/1263976173/