[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Deploying Alt-Svc on your own website. Hello?



Thanks for your work on this and the explanations on this list. When
things cleared up a bit, i'll add them to the manual:

#27820 new task
Explain the different approaches to onionify a website 
http://ea5faa5po25cf7fb.onion/projects/tor/ticket/27820
https://bugs.torproject.org/27820

On Sat, 22 Sep 2018 16:15:08 +0100
Alec Muffett <alec.muffett@xxxxxxxxx> wrote:

> On Sat, 22 Sep 2018, 16:07 Roman Mamedov, <rm@xxxxxxxxxxx> wrote:
> 
> > There is no point in running HTTPS-over-Tor-hidden-service,
> > as .onion traffic
> > is already authenticated and encrypted, it only adds useless
> > overhead.  
> 
> 
> I see your point, but there are a couple of additional perspectives
> to be considered:
> https://medium.com/@alecmuffett/onions-certs-browsers-a-three-way-mexican-standoff-7dc987b8ebc8
> - especially regarding new functionality that will be locked to HTTPS
> 
> 
> If
> > there's no way around that with the alt-svc scheme, that seems like
> > a huge oversight.
> >  
> 
> 
> Respecting AltSvc on port 80 would be as dangerous, possibly more
> dangerous, than cleartext HTTP already is; and regards the notion of
> making "onion" into a widely respected secure source equivalent to a
> HTTPS site, please see the above essay.
> 
> -a

-- 
traumschule.org

gpg fingerprint:
9356 4DED 8546 8D9A C290  3605 12EE 7D70 7111 2056

/otr info
OTR: traumschule@xxxxxxxxxxxxxxxxx fingerprint:
OTR: 35AACA83 4564616C B6EBEC66 56B6B2FC C8D572F1
OTR: traumschule@xxxxxxxxxxxx fingerprint:
OTR: D1CCD207 B60C1866 56A975AE ACE090E9 45E90846
OTR: traumschule@xxxxxxxxxxxxxxxxx fingerprint:
OTR: 51BF8BB9 434840CC 24F264BC 76450C27 A6AADB12
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk