[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] alt-svc supported by TBB

Hash: SHA512

On Fri, Sep 21, 2018 at 9:31 AM Andreas Krey <a.krey@xxxxxx> wrote:
> On Thu, 20 Sep 2018 12:38:56 +0000, Dave Warren wrote:
> ...
> > >Using the test page at https://perfectoid.space/test.php I get either
> > >red or yellow exclusively, no amount of refreshing and/or changing
> > >circuits seems to get green which confirms my own testing on a site I
> > >operate that is participating in the beta.
> >
> > I've been monkeying around a bit, and I can sometimes get this to work,
> > but very infrequently.
> It works some of the time. One point: On first load the page
> cannot be green - you need one round to fetch the alt-svc
> header before you can actually go and use that.
> But then it would be helpful if the site showed how it comes
> to the conclusion of a color - it seems I'm getting a lot of
> red in spite of obviously using tor. (Looks like it is relying
> on cloudflare's judgement via IPCOUNTRY.)
> Once yellow after a 'new circuit' the reload gives a green page.

Right, it doesn't look like https://perfectoid.space/test.php is
consistently setting `alt-svc` for me.

Even when it does, it doesn't *seem* that TBB (8.5a1) isn't going over
.onion there for me? Never see that page turn green, even after a
yellow page. Maybe some issue with that site itself and/or the
particularly complex/long alt-svc that CF is generating? ("alt-svc:
ma=86400; persist=1,h2="cflarenuttlfuyn7imozr4atzvfbiw3ezgbdjdldmdx7srterayaozid.onion:443";
ma=86400; persist=1,h2="cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443";
ma=86400; persist=1,h2="cflareusni3s7vwhq2f7gc4opsik7aa4t2ajedhzr42ez6uajaywh3qd.onion:443";
ma=86400; persist=1,h2="cflareki4v3lh674hq55k3n7xd4ibkwx3pnw67rr3gkpsonjmxbktxyd.onion:443";
ma=86400; persist=1,h2="cflarejlah424meosswvaeqzb54rtdetr4xva6mq2bm2hfcx5isaglid.onion:443";
ma=86400; persist=1,h2="cflaresuje2rb7w2u3w43pn4luxdi6o7oatv6r2zrfb5xvsugj35d2qd.onion:443";
ma=86400; persist=1,h2="cflareer7qekzp3zeyqvcfktxfrmncse4ilc7trbf6bp6yzdabxuload.onion:443";
ma=86400; persist=1,h2="cflareub6dtu7nvs3kqmoigcjdwap2azrkx5zohb2yk7gqjkwoyotwqd.onion:443";
ma=86400; persist=1,h2="cflare2nge4h4yqr3574crrd7k66lil3torzbisz6uciyuzqc2h2ykyd.onion:443";
ma=86400; persist=1")

> Also bad: Firefox doesn't seem to show whether the alt-svc
> was used for a request.

Yeah, that's already an open issue that's on the roadmap AFAIK: [1]

Also, I don't remember where I saw this, but I believe there's some
hope to get a UX like [2]
(i.e., rather than auto-switch, the user should have explicit input on
it. This is related to some discussion about possibly using alt-svc in
an evil way to get a TBB user to a uniquely-generated onion domain and
do other things with that?)

In any case, I did a quick test on propublica.org *not* using
cloudflare's built-in onion service feature (since we're running our
own with our own EV cert anyway), and wanted to mention it here:

Set `alt-svc: h2="www.propub3r6espa33w.onion:443"; ma=300`, and looks
like TBB (8.5a1) actually did silently switch over to using the onion
for the connection. As above, there'd generally be no outward
indication to the user that this has happened, except I'd actually
configured the onion proxying bits (right now running nginx) to throw
the browser a 302 redirect to the onion domain if the HTTP Host header
isn't the onion domain. So, I'd inadvertently set this up to work
where the user actually does get fully redirected over to the onion.

(I've since taken off the alt-svc header, since that was just a quick
test and I'll need to figure out if that's behavior we want in lieu of
the TBB UI getting an explicit user interaction before moving to the
alt-svc. But figured that's worth mentioning for folks who _do_ want
to easily make a clearnet domain redir TBB to an onion domain.)

[1]: https://trac.torproject.org/projects/tor/ticket/27590
[2]: https://trac.torproject.org/projects/tor/attachment/ticket/21952/21952.png

- --
Mike Tigas
Comment: https://mike.tig.as/pgp/

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to