[HTTPS-Everywhere] “Block all HTTP requests” and onion services
Dave Warren
davew at hireahit.com
Mon Jul 6 15:35:56 PDT 2015
On 2015-07-06 10:39, Jacob Hoffman-Andrews wrote:
>
> Ideally onion services would use HTTPS since the security guarantees of
> .onion are lower than modern HTTPS standards. However, I think for many
> onion services, getting a CA-validated certificate is not an option.
>
> I would accept a pull request to allow .onion addresses when "Block all
> HTTP requests" is enabled. But please make sure it only allows them when
> using Tor. It's an edge case, but someone with compromised DNS could be
> convinced that a .onion name exists on the cleartext Internet and
> convinced to visit it in spite of the block.
>
How would one verify that the user is "using Tor"?
Tor doesn't necessarily happen as part of the browser or even local
machine and anyone in a position to MITM enough to fake a .onion TLD
could probably mimic whatever test you use to verify whether Tor is
active (or otherwise proxy everything through to Tor proper, except for
whatever evil they're doing)
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
More information about the HTTPS-Everywhere
mailing list