[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Onion available does not appear in http version

On Mon, Mar 22, 2021 at 06:06:04PM +0100, Nicolas Vigier wrote:
> On Mon, 22 Mar 2021, qorg11 wrote:
> > The "Onion available" does not appear in a plain http version of a
> > website. But it does appear in the https version. I checked and my
> > website does have the onion-location header in the plain http
> > version. But tor browser doesn't show the button. Is this intended
> > behaviour? I've attatched some screenshots.
> It is intended behaviour:
> https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/100-onion-location-header.txt
> "The webpage defining the Onion-Location header must be served over

To expand a little bit on this:

It's an instance of the general problem of unencrypted content.
If you attempt to connect to http://example.com, over Tor, any
malicious party who can intercept that connection once it leaves Tor's
encryption (such as the exit relay if it is malicious) could send you
a fake version of example.com with an "onion available" and a link to
whatever onion address they own. So you would end up at a fake
onion address for example.com.
Worse, for subsequent visits to example.com, as long as your browser
keeps track of the decision, they don't even have to hijack the
connection to get you to go to the fake onion address for example.com,
your browser will automatically connect to the fake onion address when
it sees a request to visit example.com.

But if onion location is limited to https connections, then to do
this attack they would also have to hijack the certificate that says
this encrypted connection is really to example.com,
which is harder and exposes more risk of detection than the above.
We have things in the works to make it harder still (TLS hijack is not
enough), but I hope that helps.

Si Vales, Valeo,
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to