The Problem

When you request a clearnet (non .onion address) through Tor, the request goes through three (can be changed) tor relays, one of which is an exit node.



The first node knows your IP address, but they can't see what you're sending (it's encrypted), the exit node does NOT know your IP, but they CAN see what you're sending (they can decrypt it). This allows the exit node to forward your request to the server you're accessing (e.g. litevault.net).



Not only can the exit node see your traffic, they can also manipulate it. This means it's possible for them to serve you a non-SSL version of our website, bypassing our measures to prevent that happening.



WITHOUT Tor, your browser saves a header we send called HTTP Strict Transport Security, or HSTS for short. This header tells your browser to NEVER try to access LiteVault without SSL, and if the SSL certificate changes (our proof that we are the real owners of LiteVault.net), you will get a big warning telling you that something bad is happening.



The problem with Tor happens primarily due to the Tor Browser Bundle. The Tor browser is configured to be highly anonymous, but because of this, it does NOT remember HSTS headers. This means once you close Tor Browser, it forgets that we told it to NEVER try to access our site without SSL. This means even if you've accessed the site using SSL previously, if you close the browser and come back at another time and your first request to the site goes through a malicious exit node, they can send you a fake version of LiteVault, or even inject malicious Javascript to steal your passwords, as well as modify our Javascript to remove any safeguards.