[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] torpoxy support for forced https



>
> To get all the ways in which web browsers threat https differently
> from http: mixed content warnings, cookie policies etc. pp.
> Browsers won't special-case .onion as 'like https', and should not
> because whether they actually are depends on things outside the
> browser.
>

I suggest torproxy could generate a random CA certificate when its
installed and transparently convert all http to https, generating the
required SSL certificates on-the-fly and signing them with the random CA
certificate.  The user would then have to add the random CA certificate to
their browser, or better yet, this could somehow be automated for the Tor
Browser.  One open question with this scheme is whether torproxy would also
need to rewrite html content to change http urls to https.

Alternately, the Tor Project could ask Mozilla and other browsers
developers to add a switch for "treat .onion as secure".  Or maybe it could
be "treat .onion as secure but only if certain conditions hold, such as the
proxy is running on the localhost and a to-be-determined status query of
the proxy succeeds".
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk