[HTTPS-Everywhere] “Block all HTTP requests” and onion services
Dave Warren
davew at hireahit.com
Mon Jul 6 15:45:40 PDT 2015
On 2015-07-06 15:42, yan wrote:
>
>
> On 7/6/15 3:35 PM, Dave Warren wrote:
>> On 2015-07-06 10:39, Jacob Hoffman-Andrews wrote:
>>>
>>> Ideally onion services would use HTTPS since the security guarantees of
>>> .onion are lower than modern HTTPS standards. However, I think for many
>>> onion services, getting a CA-validated certificate is not an option.
>>>
>>> I would accept a pull request to allow .onion addresses when "Block all
>>> HTTP requests" is enabled. But please make sure it only allows them
>>> when
>>> using Tor. It's an edge case, but someone with compromised DNS could be
>>> convinced that a .onion name exists on the cleartext Internet and
>>> convinced to visit it in spite of the block.
>>>
>>
>> How would one verify that the user is "using Tor"?
>
> Presmably using the SSL Observatory routine of making a request to
> check.torproject.org. A MITM can't fake a positive response since it's
> TLS only (and key pinned, i think).
>
> I agree with Jacob that Onion services without TLS don't have nearly
> the same security level as proper HTTPS, but am in favor of letting
> .onion domains go through in "Block HTTP" mode.
What good would that do? Were I writing network level malware trying to
fake a .onion site, I'd just pass traffic going to check.torproject.org
through (via Tor or not, whatever is the expected behaviour here? I'd
guess "Route it via Tor") unmangled.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
More information about the HTTPS-Everywhere
mailing list