[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Deploying Alt-Svc on your own website. Hello?



On Sat, Sep 22, 2018 at 4:07 PM, Roman Mamedov <rm@xxxxxxxxxxx> wrote:

>
> Also, do you mean there's no way to have an Alt-Svc with "[...].onion:80",
> directing to a plain HTTP connection to the hidden service? (Assuming the
> initial request to the clearnet site was on HTTPS.)
>
>
Correct.

It has to go to HTTPS because the cert served by the new origin is used as
a mechanism to authenticate that it is actually authorised to act as an
origin. The primary aim being to ensure that if I (somehow) manage to
inject an Alt-Svc header into your responses, I cannot simply redirect
users via my service _unless_ I can also obtain a valid certificate for
your original name.

>  There is no point in running HTTPS-over-Tor-hidden-service, as .onion
traffic is already authenticated and encrypted, it only adds useless
overhead

See above. Without HTTPS the onion service is authenticated as being that
onion service, but is absolutely not authorised as an authorised origin for
www.example.com. It's not an oversight, it's a deliberate rational design
decision to help prevent various attacks that would otherwise be possible.


> What to use in case of 1.1?

I've not checked Browser support for downgrading to 1.1, but the Alt-Svc
header expects a RFC7301 ALPN name - so the name here would be http/1.1.
However, you also need to percent encode (RFC 7838 section 3), so it'd be
http%2F1.1


I should add - depending on the browser you *may* find you need to only
inject the header when the user is coming from a Tor exit. Otherwise direct
clearnet users might try and connect out.

It *shouldn't* happen (the RFC makes it very clear that alt services are
optional, and should be used when the alt origin becomes available - "the
client SHOULD use that alternative service for all requests to the
associated origin as soon as it is available"). But as with anything, plan
for the dumbest user-agent you could possibly imagine.

-- 
Ben Tasker
https://www.bentasker.co.uk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk