I’m using Tor Browser in a disposable qube. A while back, I found this monitoring tool called ‘tor circuits’ in the Tor control panel and decided to check it out. I found a weird coincidence—every time I open a disposable Tor Browser, it connects to securedrop.org:443, aus1.torproject.org:443, versioncheck-bg.addons.mozilla.org:443, and oscp.digicert.com:80, uploading about 20 KB of data. "
Also, on every sys-whonix startup, I connect to 3 random onion sites for a few seconds. Most are Secure Drop onion domains for journals like Forbes or Financial Times. There was also the CryptoStorm VPN onion site and some obscure blog by a guy named ‘daniel’.
Has my stuff been hacked by the glowies? Is this some kind of silent data exfiltration? Or is this normal behavior for Tor Browser and Qubes OS?
1 Like
I just signed up to state that I’m seeing the same thing in TAILS OS. TAILS 7.0 with Tor Browser 14.5.7.
I start Tor Browser and maybe not the first time but I see this securedrop connection at least after using the Live OS for a bit including Tor Browser sessions of random browsing. It is hard to pin down due to the Home Page setting reverting to the identifyable “tails dot net” ( any traffic correlation attacks then knows this is a TAILS host).
I can tell you that securedrop is one of the hosts (or seems to be) that TAILS uses for internet connectivity check - alongside adobe and other well known domains, for example. However, when I try to start Tor Browser again, without opening any other sites (sometimes offline) I can’t, as the stupid insistence on reseting the Home Page to tails.net. So I close the tab, and try not to open anything. Often successfully - except this one securedrop connection (alongside the pki google com - I think - on TCP port 80 which is a HTTPS Certificate validation connection I believe.
That’s all I know. It did look a bit dodgy, when the browser is doing that AFTER the Tor connection had already been up for a long time BUT the browser had just been re-launched from closed. In case it is interesting, I am in quite a hostile network environment and probably on compromised router and computer, due to a nasty combination of security negligence and being a target for oppression! Which isn’t going away any time soon due to who is in charge of the world. Good luck everyone!
1 Like
Hi @nilokagon and @MassSurveillHegemony, I’m on the SecureDrop team. Apologies for not seeing your messages sooner.
Short version: Two separate things happening. Tor Browser’s HTTPS Everywhere Ruleset functionality explains securedrop.org:443, and Whonix’s sdwdate.d likely explains what you’re seeing with the onion name connections, but you can reach our support team if you’re concerned or want more followup, contact is below.
Longer version: The connection to securedrop.org that you’re both seeing when you open Tor browser is likely the HTTPS Everywhere ruleset check. Since 2020 [0], Tor Browser has bundled the former firefox extension natively, and the section of that blog post called “Onion Names” explains how the functionality is used by SecureDrop [1]. Tor Browser upstreamed our https everywhere ruleset [2] to allow the ruleset to be used from a vanilla Tor Browser, allowing would-be sources who need the ruleset to blend in with general Tor Browser users. However, that means that there is a ruleset freshness check to securedrop.org, which is where the signed ruleset lives. (The ruleset is maintained by us to allow for timely updates and avoid burdening the Tor Browser team.)
The checks to different onion names that @nilokagon saw are something unrelated. Those look like something that Whonix itself has implemented independently in sdwdate.d - thank you for bringing that to our attention. I would say the Whonix forums are the best place for followup on that. (I did take a quick peek and see cryptostorm.is, danwin aka “some guy named daniel”, but please do check and make sure the connections you’re seeing match what’s there.)
Hopefully this information is helpful. If you have any further concerns, our support address is securedrop@freedom.press [3] [gpg key here].
[0] New Release: Tor Browser 9.5 | The Tor Project
[1] Introducing Onion Names for SecureDrop
[2] https://github.com/freedomofpress/securedrop-https-everywhere-ruleset/, located at https://securedrop.org/https-everywhere/
[3] Getting Support — SecureDrop stable documentation