[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Deploying Alt-Svc on your own website. Hello?



On Sat, 22 Sep 2018, 16:07 Roman Mamedov, <rm@xxxxxxxxxxx> wrote:

> There is no point in running HTTPS-over-Tor-hidden-service, as .onion
> traffic
> is already authenticated and encrypted, it only adds useless overhead.


I see your point, but there are a couple of additional perspectives to be
considered:
https://medium.com/@alecmuffett/onions-certs-browsers-a-three-way-mexican-standoff-7dc987b8ebc8
- especially regarding new functionality that will be locked to HTTPS


If
> there's no way around that with the alt-svc scheme, that seems like a huge
> oversight.
>


Respecting AltSvc on port 80 would be as dangerous, possibly more
dangerous, than cleartext HTTP already is; and regards the notion of making
"onion" into a widely respected secure source equivalent to a HTTPS site,
please see the above essay.

-a
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk