== Preventing SSLStrip Attacks ==

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = If clicking or pasting a download link, make sure it is <code>http'''s'''://</code>. The <code>s</code> in <code>http'''s'''://</code> stands for "secure".
}}
Users often mistakenly believe that a secure, green padlock and a <code>http'''s'''://</code> URL makes any download from that particular website secure. This is not the case because the website might be redirecting to <code>http</code>. In fact, an [https://security.stackexchange.com/questions/41988/how-does-sslstrip-work SSLstrip attack] might succeed if a link is pasted or typed into the address bar without the <code>https://</code> component (e.g. <code>torproject.org</code> instead of <code>https://torproject.org</code>). <ref>And that website does not:

* Use [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HTTP Strict Transport Security (HSTS)]. See also: https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly. Without HSTS, sites with non-encrypted resources or sub-domains are vulnerable to SSLstrip.
* Have a [https://www.eff.org/https-everywhere HTTPS Everywhere] rule in effect.
* Use [https://blog.mozilla.org/security/2012/11/01/preloading-hsts/ HSTS preloading].
* Use [https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning HTTP Public Key Pinning]. See also: https://news.netcraft.com/archives/2016/03/22/secure-websites-shun-http-public-key-pinning.html. HPKP limits trust to a handful of Certificate Authorities, but is not used by many websites due to the risk of site breakage if keys are not managed vigilantly.
</ref>

In this instance, it is impossible to confirm if the file is being downloaded over <code>https://</code>. Potentially, a SSLstrip attack might have made the download take place over plain <code>http</code>. The reason is a padlock is not visible; it just appears empty.

To avoid this risk and similar threats, <u>always explicitly type or paste <code>https://</code> in the URL / address bar</u>. The SSL certificate button or padlock will not appear in this instance, but that is nothing to be concerned about. Unfortunately, few users follow this sage advice; instead most mistakenly believe pasting or typing www.torproject.org into the address bar is safe.

= Other Precautions =

For even greater safety, download files from onion services (<i>.onion</i> addresses) whenever possible. Improved security is provided by [[Tor_Browser#Onion_Services_Encryption|onion service]] downloads, since the connection is encrypted end-to-end (with PFS), targeting of individuals is difficult, and adversaries cannot easily determine where the user is connecting to or from.

Also, if files are already available in repositories, then prefer mechanisms which simplify and automate software upgrades and installations (like apt functions), rather than download Internet resources. Avoid installing unsigned software and be sure to always [[Verifying_Software_Signatures|verify key fingerprints and digital signatures of signed software]] from the Internet, <i>before</i> importing keys or completing installations. For more on this topic, see: [[Install_Software#Best_Practices|Installing Software Best Practices]].

Finally, consider using [[Multiple_{{project_name_workstation_short}}|Multiple {{project_name_workstation_long}}s]] when downloading and installing additional software, to better compartmentalize user activities and minimize the threat of misbehaving applications.