0

I read on the documentation about the security issues on Tor, that it is ok if the website is running on HTTPS, but how about on Orbot and site that is not running on HTTPS?

Even if it is running on HTTPS is it 100% sure that the end node can not expose data that is sent out?

I am just wondering for the Orbot app maybe even Tor, what if an encryption is added for the data passing back and forth.

For example:

  1. Encryption for data
  2. Onion layers are added
  3. Onion layer removed
  4. Decryption

It is similar to what the "HTTPS" is doing, but about for Orbot? And if for example a unique private key is used and AES-256 encrypt dynamically for each browser? Even if a server is compromised, or malicious end node, would it make it more secure?

forest
  • 64,616
  • 20
  • 206
  • 257
John
  • 197
  • 2
  • 9

1 Answers1

1

That cannot be done in any way, because the data leaves the Tor-network on the exit node! The Data is already encrypted until the exit node where it is sent in plain to the public Internet. Any encryption added between your Orbot and the exit node doesn't change anything, because it is already there.

If you want to encrypt the data between the client app and the target server, that cannot happen in Orbot/Tor because the client and the server don't know anything about Tor! There is a widely used standard for transport encryption called TLS. It is used in HTTPS. Nothing is 100% sure and there are always bugs. But TLS is so widely used that bugs are regularly found and fixed.

For Tor hidden services, the "exit node" usually is your target server, so if you access an .onion URL using Tor, usually all the data is encrypted.

Maybe this graphic from Wikipedia helps you understand (CC BY 3.0 licensed) enter image description here

Once the data is between the last Tor node and Bob (red arrow) it is outside the Tor network and so you can't encrypt this using Tor!

forest
  • 64,616
  • 20
  • 206
  • 257
Josef
  • 5,903
  • 25
  • 33