[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #21952 [User Experience]: Increasing the use of onion services through automatic redirects and aliasing
#21952: Increasing the use of onion services through automatic redirects and
aliasing
-----------------------------+-----------------------
Reporter: linda | Owner: linda
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: User Experience | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------+-----------------------
Comment (by ilf):
cypherpunks: What "safety" properties are you looking for?
If you visit https://pad.riseup.net, you put some level of trust in DNS,
TLS (with X.509), and the server itself. But once you connect to it, you
trust the server to give you the content that you requested and that it is
autorized to give you.
We propose to allow that server in that connection to tell you his hidden
service and redirect you to it. If this can successfully be MITM'd, so can
the original content. So the attack vector is no different there.
OTOH, this makes it a lot easier to discover the .onion of a server,
because clients get it directly from the server itself, not from any third
entity like plugins or other websites. This minimizes a human attack
vector like error or wrong information.
What I would recommend against is a redirect already on cleartext HTTP
without HTTPS, like http://ev0ke.net/ is currently doing. That's why we
want to test and discuss this to find and write down best practices.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21952#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs