[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion

On 5/14/2014 4:23 AM, Mike Cardwell wrote:
> * on the Tue, May 13, 2014 at 08:51:28PM -0400, Michael Wolf wrote:
>> I had an idea recently that might be an improvement (or might not?) on
>> the darkweb-everywhere concept.  What if we introduced an HTTP header
>> similar to HSTS -- `X-Onion-Address` perhaps -- which could be sent by
>> sites that wished to advertise their .onion address?  Just like HSTS,
>> the header would only be acted upon if received over HTTPS (we don't
>> want malicious parties injecting headers and redirecting people).
>> Future versions of TBB could perhaps automatically redirect users to the
>> .onion site when this header is present, or perhaps prompt users to
>> inform them of the hidden service.
> I would prefer it if the people who run websites with hidden service
> alternatives would simply check if the client IP is a Tor exit node,
> and then advertise the availability of the hidden service to such
> users inside the actual website.
> This wouldn't be that difficult either. We have the Tor DNSEL, and
> there are also a few Apache modules which allow you to perform DNSBL
> style lookups on the client IP and perform different actions based on
> the result, such as setting environment variables/headers etc.

Adding a header is one line in an .htaccess file for Apache.  It's one
line in a configuration file for nginx as well.  The instructions for
telling people to add this header would be the same for every site using
Apache/nginx, respectively.  'Simply check[ing] if the client IP is a
Tor exit node, and then advertis[ing] the availability of the hidden
service to such users' is not nearly as simple (definitely not a
'one-liner'), and would require a unique/custom solution for nearly
every site.

Checking for exit node IP addresses can also fail.  Records are not
always fresh, some exit nodes use a different IP address for incoming
vs. outgoing traffic, and some users may be using a VPN after tor (even
if it is a bad idea), giving a false negative.  The header has none of
these problems.  The header is a simple advertisement that the site
offers its content at an .onion domain.  The user agent (or plugin) is
free to use or ignore this information as it pleases.  It's simple, it
doesn't fail, and it doesn't require additional interaction with a third
party (no DNS requests leaking who is connecting to a site...).

-- Mike
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to