[HTTPS-Everywhere] “Block all HTTP requests” and onion services
yan
yan at eff.org
Mon Jul 6 15:42:57 PDT 2015
On 7/6/15 3:35 PM, Dave Warren wrote:
> On 2015-07-06 10:39, Jacob Hoffman-Andrews wrote:
>>
>> Ideally onion services would use HTTPS since the security guarantees of
>> .onion are lower than modern HTTPS standards. However, I think for many
>> onion services, getting a CA-validated certificate is not an option.
>>
>> I would accept a pull request to allow .onion addresses when "Block all
>> HTTP requests" is enabled. But please make sure it only allows them when
>> using Tor. It's an edge case, but someone with compromised DNS could be
>> convinced that a .onion name exists on the cleartext Internet and
>> convinced to visit it in spite of the block.
>>
>
> How would one verify that the user is "using Tor"?
Presmably using the SSL Observatory routine of making a request to
check.torproject.org. A MITM can't fake a positive response since it's
TLS only (and key pinned, i think).
I agree with Jacob that Onion services without TLS don't have nearly the
same security level as proper HTTPS, but am in favor of letting .onion
domains go through in "Block HTTP" mode.
>
> Tor doesn't necessarily happen as part of the browser or even local
> machine and anyone in a position to MITM enough to fake a .onion TLD
> could probably mimic whatever test you use to verify whether Tor is
> active (or otherwise proxy everything through to Tor proper, except for
> whatever evil they're doing)
>
More information about the HTTPS-Everywhere
mailing list