[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion

To: <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion
From: "Asa Rossoff" <asa@xxxxxxxxxxxxx>
Date: Tue, 13 May 2014 18:21:09 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 13 May 2014 21:28:36 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lovetour.info; s=ggl; h=from:to:references:in-reply-to:subject:date:keywords:message-id :mime-version:thread-index:content-language:content-type; bh=x9G6CNBurnFvpij06h0gqRPJprnCwpdvhTun5/T3bpA=; b=UZiy9RDcYXmWbnnWwaabQkRWOOpA+qe4DKE5TF8KAojJRYmyoxom0ndQ98QNem07Bd d/r2FQk0Np6nUbbL1yBmRqnx0PsMWJLeLlFa9vWObv/7g3iTl8nK7dF4iMkn19Lh0mZA 4Z9whK2bIV/hK56dmGyr8CxOCCqyq9IpuSKKE=
In-reply-to: <5372BE10.90404@xxxxxxxxxx>
Keywords: Mailing Lists
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <530E784E.4010004@xxxxxxxxxx> <5372A9AD.6030405@xxxxxxxxxx> <5372BE10.90404@xxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
Thread-index: Ac9vD6WRVBoQ51abQuOTFl9Vs3ZmsAAAKo+w

On May 14, 2014 00:51 UTC, Michael Wolf wrote:
> On 5/13/2014 7:24 PM, Patrick Schleizer wrote:
>> darkweb-everywhere
>> 
>> "HTTPS Everywhere rulesets for hidden services and eepsites."
>> 
>> https://github.com/chris-barry/darkweb-everywhere
>> 
>
> I had an idea recently that might be an improvement (or might not?) on
> the darkweb-everywhere concept.  What if we introduced an HTTP header
> similar to HSTS -- `X-Onion-Address` perhaps -- which could be sent by
> sites that wished to advertise their .onion address?  Just like HSTS,
> the header would only be acted upon if received over HTTPS (we don't
> want malicious parties injecting headers and redirecting people).
> Future versions of TBB could perhaps automatically redirect users to the
> .onion site when this header is present, or perhaps prompt users to
> inform them of the hidden service.

Interesting idea.  Nice thing is no additional trusted third-party required
(putting aside certificate authorities for SSL and any intermediaries a
website host/hoster may involve).

One potential bad thing is correlating your initial request with the onion
URL request you are redirected to, especially for third-party content on a
website (from URLs not in the address bar), e.g. advertising and tracking
images, cookies, and scripts.  The header could be ignored for those too as
a matter of policy as well, though.  But even first-party redircects will
potentially give the site operator any information they garnered from your
initial connection, and maybe malicious exits could conspire to be involved
in hosting websites and further profile you.

The header should definitely be ignored if the browser made any direct
connection to the site (non-Tor), as that could directly expose your
original IP to the hidden service and any other data profiled, although this
is a non-issue in a correctly configured TBB.  Just a warning for any other
browsers/parties who try to implement the feature.

Asa
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion
  - From: Michael Wolf

References:
- [tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion
  - From: Patrick Schleizer
- Re: [tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion
  - From: Michael Wolf

Prev by Author: [tor-talk] How do I separate/isolate Tor streams in TorBirdy
Next by Author: Re: [tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion
Previous by thread: Re: [tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion
Next by thread: Re: [tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion
Index(es):
- Author
- Thread