[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] alt-svc supported by TBB



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, Sep 21, 2018 at 9:31 AM Andreas Krey <a.krey@xxxxxx> wrote:
>
> On Thu, 20 Sep 2018 12:38:56 +0000, Dave Warren wrote:
> ...
> > >Using the test page at https://perfectoid.space/test.php I get either
> > >red or yellow exclusively, no amount of refreshing and/or changing
> > >circuits seems to get green which confirms my own testing on a site I
> > >operate that is participating in the beta.
> >
> > I've been monkeying around a bit, and I can sometimes get this to work,
> > but very infrequently.
>
> It works some of the time. One point: On first load the page
> cannot be green - you need one round to fetch the alt-svc
> header before you can actually go and use that.
>
> But then it would be helpful if the site showed how it comes
> to the conclusion of a color - it seems I'm getting a lot of
> red in spite of obviously using tor. (Looks like it is relying
> on cloudflare's judgement via IPCOUNTRY.)
>
> Once yellow after a 'new circuit' the reload gives a green page.

Right, it doesn't look like https://perfectoid.space/test.php is
consistently setting `alt-svc` for me.

Even when it does, it doesn't *seem* that TBB (8.5a1) isn't going over
.onion there for me? Never see that page turn green, even after a
yellow page. Maybe some issue with that site itself and/or the
particularly complex/long alt-svc that CF is generating? ("alt-svc:
h2="cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion:443";
ma=86400; persist=1,h2="cflarenuttlfuyn7imozr4atzvfbiw3ezgbdjdldmdx7srterayaozid.onion:443";
ma=86400; persist=1,h2="cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443";
ma=86400; persist=1,h2="cflareusni3s7vwhq2f7gc4opsik7aa4t2ajedhzr42ez6uajaywh3qd.onion:443";
ma=86400; persist=1,h2="cflareki4v3lh674hq55k3n7xd4ibkwx3pnw67rr3gkpsonjmxbktxyd.onion:443";
ma=86400; persist=1,h2="cflarejlah424meosswvaeqzb54rtdetr4xva6mq2bm2hfcx5isaglid.onion:443";
ma=86400; persist=1,h2="cflaresuje2rb7w2u3w43pn4luxdi6o7oatv6r2zrfb5xvsugj35d2qd.onion:443";
ma=86400; persist=1,h2="cflareer7qekzp3zeyqvcfktxfrmncse4ilc7trbf6bp6yzdabxuload.onion:443";
ma=86400; persist=1,h2="cflareub6dtu7nvs3kqmoigcjdwap2azrkx5zohb2yk7gqjkwoyotwqd.onion:443";
ma=86400; persist=1,h2="cflare2nge4h4yqr3574crrd7k66lil3torzbisz6uciyuzqc2h2ykyd.onion:443";
ma=86400; persist=1")

> Also bad: Firefox doesn't seem to show whether the alt-svc
> was used for a request.

Yeah, that's already an open issue that's on the roadmap AFAIK: [1]

Also, I don't remember where I saw this, but I believe there's some
hope to get a UX like [2]
(i.e., rather than auto-switch, the user should have explicit input on
it. This is related to some discussion about possibly using alt-svc in
an evil way to get a TBB user to a uniquely-generated onion domain and
do other things with that?)

In any case, I did a quick test on propublica.org *not* using
cloudflare's built-in onion service feature (since we're running our
own with our own EV cert anyway), and wanted to mention it here:

Set `alt-svc: h2="www.propub3r6espa33w.onion:443"; ma=300`, and looks
like TBB (8.5a1) actually did silently switch over to using the onion
for the connection. As above, there'd generally be no outward
indication to the user that this has happened, except I'd actually
configured the onion proxying bits (right now running nginx) to throw
the browser a 302 redirect to the onion domain if the HTTP Host header
isn't the onion domain. So, I'd inadvertently set this up to work
where the user actually does get fully redirected over to the onion.

(I've since taken off the alt-svc header, since that was just a quick
test and I'll need to figure out if that's behavior we want in lieu of
the TBB UI getting an explicit user interaction before moving to the
alt-svc. But figured that's worth mentioning for folks who _do_ want
to easily make a clearnet domain redir TBB to an onion domain.)

[1]: https://trac.torproject.org/projects/tor/ticket/27590
[2]: https://trac.torproject.org/projects/tor/attachment/ticket/21952/21952.png

- --
Mike Tigas
https://mike.tig.as/
-----BEGIN PGP SIGNATURE-----
Comment: https://mike.tig.as/pgp/

iQIzBAEBCgAdFiEEGzfVMu3Uhpsce8OaFLh4upXaaEoFAluleSoACgkQFLh4upXa
aErVpQ//U36+ZpmgO4sKrc2NF13LFC0rdOxsPfNlEhXX7k/BUPt+VmbRlnOCwpTR
4go2T6i6q3xKnh2WQDsG0JIlmdvEOnMB5iFabvJn/4KOkh2k1TS8SMAwWvl3i2em
7vmomcduj+JasF3JS1TWJ+Wy1UHtnZ3k9snOCpQm2CnUgm9HTL7D2XM59EHtTHb3
PRw3F+m/1BroVV85KHcB4SJXZgMjnp+FMUrZ21bqyhtivmnREJDcktdjjWHiuuUf
sHPC/ytiH9WBDdgUA5Lg1RNajMgNsBFTc4VIit57pbRwUTwQMPxFbDQ2V3uaWbhm
o2ij82fqsYyNT25ROsiQDms2voerBbLw79xPEe5Nxg8F2MgAJ7f+i2eLJfqpAJ19
fsxYWv1WkL57eIN7PJRL8fmyQW8ocbnB3W+Sj58cA1+LXsQVedN0qKYAVa+nKg9Z
/Oa3UUbug/EddPSV02Amxy2VJNlu5Su3QPc3ggspVKiuvr4m9sziNlxo6X0i6cQJ
9F7u3Fu64ffyGuVFEsgsxTc/Q8F+ciK0o7Ds2gS24OjqNFKdTWHuC/AAZpeQqVW8
YAoGmnWdfl/2Q+swzXdUIbRKeHkqTjST4YAUB18O0KzIu6JLgVQo14sD8kzhnL2X
jv1iUpeGyyeXwxHUuHUWImbzWnm85RLCNv3x7eQ79WjSgjbNcI+ItwQBEwoAHRYh
BOk8LVk3LzcQmzAuvZFvvD/f12DEBQJbpXkrAAoJEJFvvD/f12DEW2ECB3wnbQuz
VJrh4VIw0SiRZWn27FCmYgfc72w/CSwdwXZEgrSg4yx+ECCBTLNkou/Jp+DyuBMP
3ZR2bn36niiwJ4ddAgd07PJHBmswtXXhiUtqLSqptZBOvcAHUXMs1DFKnRp9ZOyq
vTGgMSx27RkOpMLozDtNtISBT82eeatn0S10ALpH2Q==
=az6x
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk