[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Using HTTPS Everywhere to redirect to .onion

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Using HTTPS Everywhere to redirect to .onion
From: Gerardus Hendricks <konfkukor@xxxxxxxxxx>
Date: Fri, 28 Feb 2014 18:13:48 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 28 Feb 2014 12:26:51 -0500
In-reply-to: <20140228012548.GL22584@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <530E784E.4010004@xxxxxxxxxx> <20140227170608.1D913AE366@xxxxxxxxxxxxxxxx> <20140228012548.GL22584@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.3.0

On 2/28/14 2:25 AM, Roger Dingledine wrote:

I don't really want to get
into the business of writing an /etc/hosts file for public website ->
hidden service mappings.

Maybe an option to avoid that would be to do something along the linesof HSTS. A Tor-Transport-Security header, that would specify the hiddenservice that corresponds to the clearnet website being reached, onlywhen reaching the clearnet website over authenticated TLS.

After receiving such a header, the TBB would refuse to load the clearnetwebsite, and instead reach the .onion site for the specified max-age.The .onion site would (have the authority to) update the max-age too.

If would change browser behavior based on past user behavior, whichallows for (some limited?) fingerprinting attacks.

Also, like with HSTS, you are still trusting the TLS PKI for the firstconnection if you don't preload the list. Though, without this you wouldneed to trust the TLS PKI anyway, so there is not much to lose.


Regards,
Gerard

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Using HTTPS Everywhere to redirect to .onion
  - From: fortasse
- Re: [tor-talk] Using HTTPS Everywhere to redirect to .onion
  - From: Kill Your TV
- Re: [tor-talk] Using HTTPS Everywhere to redirect to .onion
  - From: Roger Dingledine

Prev by Author: Re: [tor-talk] Can I set multiple socks5 proxies within torrc for my tor?
Next by Author: Re: [tor-talk] about circuit management
Previous by thread: Re: [tor-talk] Using HTTPS Everywhere to redirect to .onion
Next by thread: Re: [tor-talk] Using HTTPS Everywhere to redirect to .onion
Index(es):
- Author
- Thread