Deploy HTTPS for all of New Yorker website #10
Comments
|
The other attack would be to generate a unique .onion address for every request being MiTM'd and correlate the IP of the New Yorker domain request with the .onion visited by the submitter. |
|
This is an issue with the New Yorker, not with DeadDrop. In addition, the New Yorker can distribute the correct onion address to potential sources through a variety of methods including verbally, on business cards, in printed media, etc to mitigate this risk. That said, the New Yorker has been informed. |
conorsch
added a commit
that referenced
this issue
Apr 26, 2017
Tweaks needed to build packages on remote server
44 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
An attacker may MITM the original connection to the New Yorker website. As a result, the attacker may change the .onion URL in transit. An attacker is able to see that the submitter isn't reading the New Yorker and if they download the Tor Browser as their next action, I suspect the attacker may simply choose to break connections to the Tor website. This will stop a potential submission and it also presents the attacker with an opportunity to insert malware (at download time) to discover the documents under consideration for submission.
The text was updated successfully, but these errors were encountered: