Community Discussions
Explore the latest discussions and community conversations related to this domain.
Accessing the Tor website - HSTS problems
Main Post:
Hello! please keep in mind that i'm quite new to things like Tor/internet security past VPNs, and am just starting to learn about them and how they work, and that I will probably say something that makes you go "Huh?! tf do they mean?"
I'm unable to access the Tor website on chrome or firefox. Each time I attempt to open the page for Tor, or Tails OS I am given the error message (verbatim) of:
"Your Connection Is Not Private"
www.torproject.org normally uses encryption to protect your information. When Google Chrome tried to connect to www.torproject.org this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be www.torproject.org, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.
You cannot visit www.torproject.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
Is this because I'm being attacked by a "man in the middle"? (I've tried to access the site days apart and have gotten the same message) Is it simply because of my system settings regarding HSTS?
If so, how might I be able to access the site? do I just have the wrong address?
Edit: I am aware that there are other sites I can download the browser from, but for the moment I'm just looking to read about it from the site.
thank you for your time and help, it is much appreciated.
Top Comment:
I had a similar problem when accessing the tails website and the websites of vpn providers such as protonvpn. Turns out my ISP DNS servers block those domains, so I changed my DNS servers. I don't know if this will fix your problem but you might want to try this. I would also advise against downloading the tor browser from any other website, only download the tor browser from the official tor project website.
HSTS on localhost - Why Chrome?!
Main Post:
So the latest / recent Chrome releases are making local development a royal pain in the ass. I'm running multiple projects, some using HTTP others HTTPS (with self signed certs) on my localhost. The recent Chrome changes now seem to apply this highly annoying HSTS behaviour (redirects http to https) even on localhost, forcing me to clear the localhost domain within chrome://net-internals/#hsts tens of times an hour.
I've added an entry to HSTSPolicyBypassList and can see the policy activates via chrome://net-internals/#hsts - but this has no effect on port based localhost applications, e.g. http://localhost:1234 still redirects to https assuming something else on localhost has been accessed using https recently.
Would hugely appreciate some help, I must be missing something here?
Top Comment: Make sure your post is flaired properly or it will be removed, support posts need to be flaired with "HELP" or will be removed. There are also new user flairs to add your main browser next to your username. I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
How to check for HSTS?
Main Post:
As I understand it website can malfunction if each STS is enabled and then disabled? Is there any test for that? I have a site that was managed by a Cloudflare partner, and while I was able to remove the partner, I’m still having resolution issues that I wonder if they could be tied HSTS? I have no way of knowing if it was an able before. Thank you.
Top Comment: Seen this multiple times before, nothing to do with HSTS. Cloudflare either won't fix it or is unaware of the problem. They continue pointing to the partner IP even though the user has updated their nameservers to a new Cloudflare pair. Your dashboard will say it's verified and active, even though that's not the case. Delete your entire site at the Cloudflare partner and it should immediately start working.
HSTS REDDIT
Main Post:
Okay kominfo you win again this time (karna dnscrypt di LAN mati)
http://i.imgur.com/zHFUff3.png
Anehnya IP trust positive dipake buat hosting domain lain , padahal IP KOMINFO ada banyak yang nganggur (202.89.116.0/23)
karna insiden diatas jadi tau ada situs ga jelas maha karya kominfo https://cekrekening.id.
Top Comment:
What's the kamsud?
Reddit - The heart of the internet
Main Post: Reddit - The heart of the internet
What is an HSTS error (in plain English if possible)!
Main Post:
I've heard of HSTS before, but never had an issue where I needed more understanding, hence asking you guys.
What happened:
I was at a coffee shop with my laptop, which happened to be running Arch (btw). No wifi, but the Bank of America next door had an open guest wifi within range so I could connect to that. I could browse some sites, and it worked, so I tried updating packages, and somewhere in that process, pacman threw an error about a self signed certificate in the certificate chain. I tried googling the error, but lo and behold, when I tried to visit the Arch forums and Reddit, Firefox would refuse to connect to either. More details said there was a HSTS error, which you can't override.
So, two completely unrelated certificate errors, apparently.
I then disconnected from the BoA wifi and connected to my phone as a hotspot as well. All was well! I could update packages without error, and connect to both Reddit and the Arch wiki without issues.
Can anyone explain HSTS to me in plain English? Just so I can understand what was occurring? My guess is that perhaps the BoA hotspot was trying to do a man in the middle, swapping around certificates, or something? Would that be an accurate assessment? There was an error regarding a Fortinet certificate as well.
Thank you in advance for any explanations!
(I originally posts this to r/networking but automod said it’s not appropriate for that subreddit, hoping someone here can answer!)
Top Comment: Reason behind this error: likely because of the presence of a man in the middle attacking tool. Resolution: don't use this compromised network I might be factually wrong at some places since I'm speaking from experience, but in-depth plain English explanation: A. Back in the old days, websites didn't have any security, and so in order to "intercept" the packets, you could literally cut the Ethernet(internet) cable, and use tools which could "capture and read" those packets, optionally modify them and then forward the intercepted packets to the website and vice versa. B. And so https was created, where each website which has https has its own SSL certificate which basically acts like a "key" to encrypt these packets before they leave your machine. And so even if someone intercepts these packets, all they'd be able to read is garbage data which doesn't make any sense without the key corresponding to decrypting this data. C. Some websites allow users to choose between using http and https. They don't make https mandatory in order to use the website, or they allow the connection to be established in http protocol before upgrading the protocol to https by asking your browser to visit https website instead, using the redirect code 301 D. If someone malicious is intercepting your network packets, they can request your browser to stay in http mode and not upgrade to https mode, therefore they would manage to capture the "first" network request, like http://www.example.com/user=YourUserID before the website can request your browser to upgrade you to https. E. And so hsts comes into picture here, hsts doesn't allow your browser to establish the connection via http protocol at any point of time. The connection protocol MUST be https and if that's not possible, the connection cannot be established at all. And so if example.com has HSTS, the first request from your browser would be for it to establish a http connection which would be rejected, and so your browser would be forced to establish https connection from the very start, and so the malicious user won't be able to sniff any of your network packets corresponding to that website since no connection can be established due to the presence of the MITM tool which doesn't have its own SSL certificate. Therefore, if someone wants to browse or intercept the network packets for a website which supports HSTS or if they want to play with a website in https mode, they need to install a MITM certificate generated by the tool that they're using to intercept the network packets (like fiddler or burp suite) in their browser so that their certificate gets added to the trust chain which means that even if the certificate presented to the browser isn't that of the website but is of the MITM tool, since the certificate is part of the trust chain, the connection would still be established. I know that I got fairly technical at some points of time, please ask me to elaborate or simplify any of my points that don't make sense. If someone who has more experience or knowledge about this topic feels that I'm wrong about something, I encourage you to correct me so that I can educate myself further :-)
What is the difference between HSTS bringing people to the https site VS a page rule that brings people to the https site?
Main Post:
Basically title. HSTS (without preload) tell browsers that are loading the http site that there is a https site and to load that instead.
One can also set up a custom page rule to have the site always load in https.
So what is the difference?
Top Comment: If someone man in the middles the site and forces http, then HSTS won't allow that to load (as long as it's been visited before/on the browser's HSTS list), whereas that redirect to https would be irrelevant. I believe the redirect is a requirement of HSTS anyway.
What is HSTS really about?
Main Post: What is HSTS really about?
Top Comment: It’s being gay + GNC + internalized homophobia. Without the last bit, people don’t transition. Many HSTS types actually do find life “easier” as the opposite sex, so we are less likely to detransition. That doesn’t mean that transition makes us happy, or healthier. In fact it generally does the opposite from what I’ve seen. It just takes a while for it to catch up to you.
Ever had a good conversation involving HSTS?
Main Post:
HSTS has crossed my path a few times, and every time the scenario is a penetration tester has pressed a shiny "go" button on Nessus or whatever, and they get this report out the end that the don't read past cutting and pasting various sections to the owner of each supposedly vulnerable system shouting at them to urgently fix their problem.
When you say your IT equivalent of "Sir, this is a Wendy's", i.e. "HSTS is a standard that enabled websites to insist compatible browsers automatically redirect connections on HTTP to HTTPS, and our service is an internal API that can only listen on TLS enabled endpoints, and there is no browser involved in any way", they just constantly come back saying "OK, so please address the vulnerability ASAP" and somehow it's YOUR problem to teach them why it's not an issue.
I've never had dealings with pen testers that haven't gone this way. I suppose that's partly as the good ones don't bother you about these things in the first place!
Top Comment: Never ran in to an HSTS conversation but your story reminds me of how I had to explain to an auditor on multiple occasions why there was no hardened GNOME configuration on our headless servers.