On 2/28/14 2:25 AM, Roger Dingledine wrote:
I don't really want to get into the business of writing an /etc/hosts file for public website -> hidden service mappings.
Maybe an option to avoid that would be to do something along the lines of HSTS. A Tor-Transport-Security header, that would specify the hidden service that corresponds to the clearnet website being reached, only when reaching the clearnet website over authenticated TLS.
After receiving such a header, the TBB would refuse to load the clearnet website, and instead reach the .onion site for the specified max-age. The .onion site would (have the authority to) update the max-age too.
If would change browser behavior based on past user behavior, which allows for (some limited?) fingerprinting attacks.
Also, like with HSTS, you are still trusting the TLS PKI for the first connection if you don't preload the list. Though, without this you would need to trust the TLS PKI anyway, so there is not much to lose.
Regards, Gerard -- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk