[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion

On 5/13/2014 9:32 PM, Mirimir wrote:
> On 05/13/2014 06:51 PM, Michael Wolf wrote:
>> I had an idea recently that might be an improvement (or might not?) on
>> the darkweb-everywhere concept.  What if we introduced an HTTP header
>> similar to HSTS -- `X-Onion-Address` perhaps -- which could be sent by
>> sites that wished to advertise their .onion address?  Just like HSTS,
>> the header would only be acted upon if received over HTTPS (we don't
>> want malicious parties injecting headers and redirecting people).
>> Future versions of TBB could perhaps automatically redirect users to the
>> .onion site when this header is present, or perhaps prompt users to
>> inform them of the hidden service.
>> -- Mike
> If I'm going to use <https://344c6kbnjnljjzlz.onion>, I'd rather not be
> redirected from <https://vfemail.net>. It's a small risk, but wouldn't
> it be better to get onion addresses from some trusted site via HTTPS?

You don't trust vfemail.net to give you their proper .onion address over
https?  Why would you trust a third party more?  It may be a matter of
preference, but I feel the opposite about it.  I consider "some trusted
site" to be a single point of failure, a desirable target to be
exploited, and unnecessary overhead.  Who would manage the site?  How
would you get your site listed?  How do you ensure that people don't
list .onion sites for clearnet sites that they don't control?  It seems
like a lot of additional effort compared to adding one line in an
.htaccess file.  I just don't see any benefit at all of having a third
party handle this.

-- Mike
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to