[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion




On May 14, 2014 00:51 UTC, Michael Wolf wrote:
> On 5/13/2014 7:24 PM, Patrick Schleizer wrote:
>> darkweb-everywhere
>> 
>> "HTTPS Everywhere rulesets for hidden services and eepsites."
>> 
>> https://github.com/chris-barry/darkweb-everywhere
>> 
>
> I had an idea recently that might be an improvement (or might not?) on
> the darkweb-everywhere concept.  What if we introduced an HTTP header
> similar to HSTS -- `X-Onion-Address` perhaps -- which could be sent by
> sites that wished to advertise their .onion address?  Just like HSTS,
> the header would only be acted upon if received over HTTPS (we don't
> want malicious parties injecting headers and redirecting people).
> Future versions of TBB could perhaps automatically redirect users to the
> .onion site when this header is present, or perhaps prompt users to
> inform them of the hidden service.

Interesting idea.  Nice thing is no additional trusted third-party required
(putting aside certificate authorities for SSL and any intermediaries a
website host/hoster may involve).

One potential bad thing is correlating your initial request with the onion
URL request you are redirected to, especially for third-party content on a
website (from URLs not in the address bar), e.g. advertising and tracking
images, cookies, and scripts.  The header could be ignored for those too as
a matter of policy as well, though.  But even first-party redircects will
potentially give the site operator any information they garnered from your
initial connection, and maybe malicious exits could conspire to be involved
in hosting websites and further profile you.

The header should definitely be ignored if the browser made any direct
connection to the site (non-Tor), as that could directly expose your
original IP to the hidden service and any other data profiled, although this
is a non-issue in a correctly configured TBB.  Just a warning for any other
browsers/parties who try to implement the feature.

Asa
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk