[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion



On May 14, 2014 11:33 UTC, Michael Wolf Wrote:
> On 5/13/2014 9:21 PM, Asa Rossoff wrote:
>> On May 14, 2014 00:51 UTC, Michael Wolf wrote:
>>> I had an idea recently that might be an improvement (or might not?) on
>>> the darkweb-everywhere concept.  What if we introduced an HTTP header
>>> similar to HSTS -- `X-Onion-Address` perhaps -- which could be sent by
>>> sites that wished to advertise their .onion address?  Just like HSTS,
>>> the header would only be acted upon if received over HTTPS (we don't
>>> want malicious parties injecting headers and redirecting people).
>>> Future versions of TBB could perhaps automatically redirect users to the
>>> .onion site when this header is present, or perhaps prompt users to
>>> inform them of the hidden service.
>> 
> <snip>
>> 
>> One potential bad thing is correlating your initial request with the
onion
>> URL request you are redirected to, especially for third-party content on
a
>> website (from URLs not in the address bar), e.g. advertising and tracking
>> images, cookies, and scripts.  The header could be ignored for those too
as
>> a matter of policy as well, though.  But even first-party redircects will
>> potentially give the site operator any information they garnered from
your
>> initial connection, and maybe malicious exits could conspire to be
involved
>> in hosting websites and further profile you.
> 
> I thought about that -- but I don't think much is at risk.  The browser
> would receive the header on its first request to the site, before it
> received any links to advertising or loaded additional resources from
> third parties.  If the browser immediately drops the connection and
> opens a new connection to the .onion site, what has anyone learned that
> they didn't already know?  The target site saw a connection from an exit
> node, and then a connection to the hidden service, so it can assume that
> this is the same person... but how is that any worse than you continuing
> to connect to them over clearnet?  The third parties never see a
> connection until after the page has loaded from the .onion domain, so
> there's no contamination there.  Am I missing something?

Consider your scenario with one change: the first-party clearnet host does
not implement the X-Onion-Address header, but third-party embedded hosts
aiming to profile and track user activities do.  Any cookies or custom URLs
or other means that they manage to use to track you, even if only during a
browser session, might be linked to both clearnet and onion activity more
easily, creating a cross-TLD profile (Of course, maybe I'm missing something
obvious and default configurations might already allow this by simply
allowing embedding .onions in clearnet and vice-versa?).  If the user
provides identifying credentials or other data somewhere, it may be more
readily used to build a cross-session profile that covers more user
activity.  There are so many ways to leak identifying information.  I'm not
entirely sure of the significance of this observation, to be honest, but I
hope someone else has a better handle on it than me :). It's possible that
it does not pose a new risk and I'm mistaken.

I like the proposal as a good current-tech step for a trusted source of
clearnet/onion association.  It seems better than a single third-party
database.  A real problem even if you trusted the content of third-party
database is that if it were very large, it would have to be queried by
everyone as much as the DNS system, and the database provider could
profiling information.  Another alternative would be a DNS record, maybe
something like a CNAME record.. an ONAME, or something else, to be used if
possible.  IF you have a trusted DNS record (DNSSEC has its issues but
should be as trustworthy as SSL identity, as I understand it), this "ONAME"
redirect would not be able to be customized on a per-user basis, unlike a
server header, and the DNS records might also carry a lower risk of being
hijacked/manipulated by a malicious entity unrelated to the host than the
host server itself.  URLs might still contain or point to identifying data,
but I think it would prevent a web host from easily redirecting different
users to different onion hosts.  I think the onion:clearnet domain names
would have a 1:1 relationship assuming DNSSEC and something like an ONAME
record, and so that routing information would be better secured by DNS with
DNSSEC.

A low-level routing/DNS-level solution would also work for non-HTTP
connections, another possible advantage.  On the con side, I guess an onion
host could not advertise it's clearnet address in a similar way, but that
seems like a less useful function anyway.

> 
>> The header should definitely be ignored if the browser made any direct
>> connection to the site (non-Tor), as that could directly expose your
>> original IP to the hidden service and any other data profiled, although
this
>> is a non-issue in a correctly configured TBB.  Just a warning for any
other
>> browsers/parties who try to implement the feature.
> 
> Agreed.  The redirect probably shouldn't be automatic anyway, unless the
> user specifically configures it that way with an user preference
> somewhere.  A once-per-session prompt with a "Don't ask me again"
> checkbox would be nice.
> 
> -- Mike

Asa
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk