Re: [tor-dev] Special handling of .onion domains in Chrome/Firefox (post-IETF-standarization)

[Alec Muffett <alecm@xxxxxx>]

On Nov 2, 2015, at 20:39, Paul Syverson <paul.syverson@xxxxxxxxxxxx> wrote:

On Mon, Nov 02, 2015 at 09:05:26PM +0200, George Kadianakis wrote:

Hello,

as you might know, the IETF recently decided to formally recognize .onion names
as special-use domain names [0].

This means that normal browsers like Chrome and Firefox can now
handle onion domains in a special manner since they know that they
only correspond to Tor.

How would we like those browsers to treat onions?

For starters, those browsers should refuse to connect to onion
domains entirely.  Onions don't work on normal browsers anyway, and
also this will reduce the onion leakage through the DNS system [1].

Well, maybe not "entirely". Cf. below.

Tangential aside: Chrome currently has a bug open in that it does not yet support onion certificates:

https://code.google.com/p/chromium/issues/detail?id=483614

The Onion RFC lays a burden on DNS to NXDOMAIN onion lookups.  

It says nothing about having browsers block them.

Perhaps the better thing for Tor adoption is - privacy purism enforced by TBB aside - to enable adoption.  

Allow (encourage?) non-TBB browsers to be capable to using Onions.

Roger, after all, stood up movingly at the Aaron Swartz memorial and spoke of letting people pick the security that _they_ wanted, when connecting to a site.

This would, I feel, accord with that position.

    - alec

ps: 

It might be a better idea to point them to tor2web. For one thing
browser providers will be happier with a display that doesn't directly
tell people they need a different browser to get to an intended
address.

Pointing people at tor2web would break SSL, but see this thread, which is a side-show to the larger "how can we get personal onion addresses" discussion: https://twitter.com/AlecMuffett/status/658440124624183296

The display could say something like:

 Oops, seems like you attempted to visit an onion address, a
 specialized address that provides additional security for
 connections to it. The site can be reached via proxy at
 [tor2web-link-to-relevant-onionsite]. To obtain the intended
 security for access to such sites, follow <A HREF="" class="">  "[link-to-page-w-brief-simple-explanation-n-prominent-link-to-download-TBB]">
 these few simple steps</A> .

No doubt some wordsmithing could make this better in various respects
(amongst them, shorter).

Phishing-potential in such dialogues, here?

    -a

What else could we do here? And is there anyone who can lobby for the right
behavior? :)

Of course, we all know that that inevitably those browsers will need
to bundle Tor, if they want to visit the actually secure onion
Internet. But let's give them a bit more time till they realize this
:)

I think something like the above improves the transition path, helping
the world along to better security instead of just waiting for the
world to catch up. (And in any case, perhaps at least a few more
months work would better prepare us for the resulting attention.)

aloha,
Paul

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev