[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #21361 [Applications/Tor Browser]: Enable browser APIs only allowed in secure contexts for NG HS



#21361: Enable browser APIs only allowed in secure contexts for NG HS
------------------------------------------+----------------------
     Reporter:  legind                    |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 Next Generation Hidden Services provide vastly improved protection against
 brute-force attacks than even many TLS certificates.  Currently, hidden
 services can only utilize browser APIs which require secure context
 https://www.w3.org/TR/secure-contexts/ if they are provided over HTTPS.

 The CA/Browser forum has allowed for Extended Validation HTTPS
 certificates to be issued for .onion addresses
 https://cabforum.org/2015/02/18/ballot-144-validation-rules-dot-onion-
 names/, but this both a) requires deanonymization of the HS to comply with
 the EV requirements, and b) is often prohibitively expensive.

 Explicitly allowing browser APIs for onion addresses which are only
 allowed in secure contexts, even if they are not provided over HTTPS,
 would fix this.  It's important to note that the APIs which are allowed
 only in secure contexts have this restriction often because they are
 releasing personally identifiable information about the end user (such as
 location), but this is not necessarily the case.  This obviously does not
 supersede the scrutiny individually applied to the various APIs wrt their
 privacy implications, which is quite a separate consideration.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21361>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs