[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion

* on the Wed, May 14, 2014 at 08:08:45AM -0400, Michael Wolf wrote:

>> I would prefer it if the people who run websites with hidden service
>> alternatives would simply check if the client IP is a Tor exit node,
>> and then advertise the availability of the hidden service to such
>> users inside the actual website.
> Adding a header is one line in an .htaccess file for Apache.  It's one
> line in a configuration file for nginx as well.  The instructions for
> telling people to add this header would be the same for every site using
> Apache/nginx, respectively.  'Simply check[ing] if the client IP is a
> Tor exit node, and then advertis[ing] the availability of the hidden
> service to such users' is not nearly as simple (definitely not a
> 'one-liner'), and would require a unique/custom solution for nearly
> every site.

On the other hand, I could implement my solution today on my website in
probably less than 20 minutes and it would work with all browsers.
Whilst the header solution would require one or more browser plugins to
be written, tested, maintained and distributed. It would be nice if it
would come pre-installed with TBB, but until it does, I'm not going to
hold my breath waiting.

However it is implemented, my main concern would be that users are
simply informed of the existance of the onion site, rather than being
force redirected to it.

> Checking for exit node IP addresses can also fail.  Records are not
> always fresh, some exit nodes use a different IP address for incoming
> vs. outgoing traffic, and some users may be using a VPN after tor (even
> if it is a bad idea), giving a false negative.  The header has none of
> these problems.  The header is a simple advertisement that the site
> offers its content at an .onion domain.  The user agent (or plugin) is
> free to use or ignore this information as it pleases.  It's simple, it
> doesn't fail, and it doesn't require additional interaction with a third
> party (no DNS requests leaking who is connecting to a site...).

To make it even simpler, maybe use a meta tag.

The ideal solution IMO would be a generic web standard which allows us to
advertise the existence of alternative domains which can be used to reach
the same content. That way, browsers might have native support without a
plugin being required. The biggest issue with that is probably how to
display the info in the browser UI. It seems Firefox and Chrome are trying
to display as little info as possible to the user these days.

Another use case for the generic web standard route would be general
censorship resistance and fault tolerance. If access to a website gets
blocked or fails for some reason, the browser may be able to pop up a
message informing the user how else they can access the content if they
have previously visited the site and received a list of
alternate domains.

Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4

Attachment: signature.asc
Description: Digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to