* on the Wed, May 14, 2014 at 08:08:45AM -0400, Michael Wolf wrote: >> I would prefer it if the people who run websites with hidden service >> alternatives would simply check if the client IP is a Tor exit node, >> and then advertise the availability of the hidden service to such >> users inside the actual website. > > Adding a header is one line in an .htaccess file for Apache. It's one > line in a configuration file for nginx as well. The instructions for > telling people to add this header would be the same for every site using > Apache/nginx, respectively. 'Simply check[ing] if the client IP is a > Tor exit node, and then advertis[ing] the availability of the hidden > service to such users' is not nearly as simple (definitely not a > 'one-liner'), and would require a unique/custom solution for nearly > every site. On the other hand, I could implement my solution today on my website in probably less than 20 minutes and it would work with all browsers. Whilst the header solution would require one or more browser plugins to be written, tested, maintained and distributed. It would be nice if it would come pre-installed with TBB, but until it does, I'm not going to hold my breath waiting. However it is implemented, my main concern would be that users are simply informed of the existance of the onion site, rather than being force redirected to it. > Checking for exit node IP addresses can also fail. Records are not > always fresh, some exit nodes use a different IP address for incoming > vs. outgoing traffic, and some users may be using a VPN after tor (even > if it is a bad idea), giving a false negative. The header has none of > these problems. The header is a simple advertisement that the site > offers its content at an .onion domain. The user agent (or plugin) is > free to use or ignore this information as it pleases. It's simple, it > doesn't fail, and it doesn't require additional interaction with a third > party (no DNS requests leaking who is connecting to a site...). To make it even simpler, maybe use a meta tag. The ideal solution IMO would be a generic web standard which allows us to advertise the existence of alternative domains which can be used to reach the same content. That way, browsers might have native support without a plugin being required. The biggest issue with that is probably how to display the info in the browser UI. It seems Firefox and Chrome are trying to display as little info as possible to the user these days. Another use case for the generic web standard route would be general censorship resistance and fault tolerance. If access to a website gets blocked or fails for some reason, the browser may be able to pop up a message informing the user how else they can access the content if they have previously visited the site and received a list of alternate domains. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk