[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #21952 [User Experience]: Increasing the use of onion services through automatic redirects and aliasing



#21952: Increasing the use of onion services through automatic redirects and
aliasing
-----------------------------+-----------------------
 Reporter:  linda            |          Owner:  linda
     Type:  enhancement      |         Status:  new
 Priority:  Medium           |      Milestone:
Component:  User Experience  |        Version:
 Severity:  Normal           |     Resolution:
 Keywords:                   |  Actual Points:
Parent ID:                   |         Points:
 Reviewer:                   |        Sponsor:
-----------------------------+-----------------------

Comment (by ilf):

 Thanks Linda for opening this ticket and everyone for jumping in.
 Unfortunately, I feel we are both a little too quick and merging too many
 things into one.

 So first things first:

 == Let's auto-redirect Tor-Users to Hidden Services! ==

 Some websites already redirect Tor users to their Hidden Services:

 * https://securitywithoutborders.org/
 * https://www.privacyinternational.org/
 * https://lists.riseup.net/
 * https://pad.riseup.net/
 * http://ev0ke.net/

 (We planned to publically document how to do this. And then discuss this
 on tor-users. This ticket surpassed our timeline.)

 == This is awesome ==

 1. Other websites punish Tor users. Let's embrace (and "reward") them.
 2. Discovering onions is hard. Let's make it easier.
 3. Client-side redirects (like https://github.com/chris-barry/darkweb-
 everywhere and #19812) are nice. But server-side redirects are better:
   a. The server knows its onion, the client would have to verify it out-
 of-band or trust someone else.
   b. The server admin '''already''' controls, "what sort of security
 properties they get while connecting to your website", [comment:17 arma].
 We are doing the same thing with redirects to HTTPS, TLS properties,
 logging policies, etc. It's the admins server, afterall.

 == User response ==

 Most users didn't freak out. We now have hundreds of users and most don't
 provide feedback. (Like always.)

 Some users do provide feedback, and most say they like it. (Like me.)

 As [comment:16 micah] said, there was only '''one''' user that ran an exit
 at his home but didn't use TBB himself. He now does.

 This works the other way around, too. When I shared a .onion address via
 chat, the other user knew what it was, but never bothered to get TBB
 before. To view the URL, they got TBB - and still use it today. I would
 not have shared the onion URL if I hadn't been auto-redirected.

 And there was '''one''' user, who "freaked out" about the redirect. And
 only because that user used TBB, but didn't know what hidden services are.
 This is exactly the kind of person, i '''want''' to get using TBB.

 == Moving foward ==

 The original issue we gave to Linda was the '''one''' user "freaking out"
 about the server-side redirect.

 A rough first idea was: ''"Maybe TBB should inform users about .onion the
 first time they visit one?"''

 From there it evolved into this bigger debate about UX, URL bars, tabs,
 HTTPS, same-origin policy, darkweb everywhere, and more.

 I'm not exactly sure where we move from here.

 1. Maybe a first step would be to discuss, if TBB should do something the
 very first time it visits a .onion.
 2. When we finally got around to documenting the server-side-onion-
 redirect, I propose to discuss that on tor-users.

 Opinions?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21952#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs