[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Onion available does not appear in http version

To: "tor-talk@xxxxxxxxxxxxxxxxxxxx" <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-talk] Onion available does not appear in http version
From: "Syverson, Paul F CIV USN NRL (5543) Washington DC (USA)" <paul.syverson@xxxxxxxxxxxx>
Date: Mon, 22 Mar 2021 18:21:04 +0000
Accept-language: en-US
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 22 Mar 2021 14:58:15 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=s2.dkim; bh=1shWlZb/LczwGhqmpPi0SDl1+z24yHGliIFE1wrMM1g=; b=FmHeBl0UTRnNq6ffAOU36dw38lOyt46E/bwYC+iYpIPGoeQjhCUhYlsqxSE0bUAl3J94 OBX9Q/yvvIfLS61fKUvw6YTWTPyb6Ny/krTKpZklfGMIERNfWGQgI6K8Gqpj4K6pB0Vc Tu31fQpSKAXtCuCxVC+AptXHH78M76kxYJI3lnO+3zkMcQrYBM+by6KBDOBaU9nFBNB9 cALjfdWB0kxNP9/vld2Mi6TMCw/ZMxeJyvKKtmdfDfPNiwmQoti52WfA420WdK+9HERZ o97FcdPXAhJne3eR1HonLN6NJycSGL7w82at7TY5Wz14EHvubEBOTHEJwtrsVEdakQSR 7g==
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=s1.dkim; bh=1shWlZb/LczwGhqmpPi0SDl1+z24yHGliIFE1wrMM1g=; b=nm88QaodKNmzm74I7bbPZsQa7+e9qZtvL0s7+LDJMRpH1wnTnEQ83soKjux8W0rac8bO vav1ZSlEnkHWcHGwsuEdeO9QsC6E+I+/6SQex83VPLS+/hMSagille16jYg4/9Er1j/y sqzls7NYh03NCXZUpd2BAAbX3iOPm9JG1a4=
In-reply-to: <20210322170604.tfwujp4dzqntfsxu@mars-attacks.org>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20210322015814.4to7wrgq3mtskoae@satania> <20210322170604.tfwujp4dzqntfsxu@mars-attacks.org>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
Thread-index: AQHXHzdQeZaHN/VnXkyW+ERrTDB5IqqQf+gAgAAVOIA=
Thread-topic: [tor-talk] Onion available does not appear in http version

On Mon, Mar 22, 2021 at 06:06:04PM +0100, Nicolas Vigier wrote:
> On Mon, 22 Mar 2021, qorg11 wrote:
> 
> > The "Onion available" does not appear in a plain http version of a
> > website. But it does appear in the https version. I checked and my
> > website does have the onion-location header in the plain http
> > version. But tor browser doesn't show the button. Is this intended
> > behaviour? I've attatched some screenshots.
> 
> It is intended behaviour:
> https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/100-onion-location-header.txt
> 
> "The webpage defining the Onion-Location header must be served over
> HTTPS."
> 

To expand a little bit on this:

It's an instance of the general problem of unencrypted content.
If you attempt to connect to http://example.com, over Tor, any
malicious party who can intercept that connection once it leaves Tor's
encryption (such as the exit relay if it is malicious) could send you
a fake version of example.com with an "onion available" and a link to
whatever onion address they own. So you would end up at a fake
onion address for example.com.
Worse, for subsequent visits to example.com, as long as your browser
keeps track of the decision, they don't even have to hijack the
connection to get you to go to the fake onion address for example.com,
your browser will automatically connect to the fake onion address when
it sees a request to visit example.com.

But if onion location is limited to https connections, then to do
this attack they would also have to hijack the certificate that says
this encrypted connection is really to example.com,
which is harder and exposes more risk of detection than the above.
We have things in the works to make it harder still (TLS hijack is not
enough), but I hope that helps.

Si Vales, Valeo,
Paul
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Onion available does not appear in http version
  - From: qorg11
- Re: [tor-talk] Onion available does not appear in http version
  - From: Nicolas Vigier

Prev by Author: Re: [tor-talk] Tor 0.4.6.1-alpha is released
Previous by thread: Re: [tor-talk] Onion available does not appear in http version
Index(es):
- Author
- Thread