[HTTPS-Everywhere] “Block all HTTP requests” and onion services
Jacob Hoffman-Andrews
jsha at eff.org
Mon Jul 6 10:39:08 PDT 2015
On 07/02/2015 06:54 PM, Drake, Brian wrote:
> I love “Block all HTTP requests”. But from a technical point of view,
> it’s silly that it also blocks onion services.
I think the non-inclusion of onion addresses is not necessarily intentional.
> Having said that, a while ago, on the Tor blog, I read about the issue
> of onion services using HTTPS, and I think it said there was some
> disagreement about this. You might say that it’s silly, or that it’s
> almost necessary (so we can train non-security-expert users to demand
> HTTPS all the time). Any thoughts about this?
Ideally onion services would use HTTPS since the security guarantees of
.onion are lower than modern HTTPS standards. However, I think for many
onion services, getting a CA-validated certificate is not an option.
I would accept a pull request to allow .onion addresses when "Block all
HTTP requests" is enabled. But please make sure it only allows them when
using Tor. It's an edge case, but someone with compromised DNS could be
convinced that a .onion name exists on the cleartext Internet and
convinced to visit it in spite of the block.
More information about the HTTPS-Everywhere
mailing list