[HTTPS-Everywhere] “Block all HTTP requests” and onion services
Lunar
lunar at torproject.org
Tue Jul 7 02:10:30 PDT 2015
Dave Warren:
> On 2015-07-06 10:39, Jacob Hoffman-Andrews wrote:
> >
> >Ideally onion services would use HTTPS since the security guarantees of
> >.onion are lower than modern HTTPS standards. However, I think for many
> >onion services, getting a CA-validated certificate is not an option.
> >
> >I would accept a pull request to allow .onion addresses when "Block all
> >HTTP requests" is enabled. But please make sure it only allows them when
> >using Tor. It's an edge case, but someone with compromised DNS could be
> >convinced that a .onion name exists on the cleartext Internet and
> >convinced to visit it in spite of the block.
> >
>
> How would one verify that the user is "using Tor"?
>
> Tor doesn't necessarily happen as part of the browser or even local machine
> and anyone in a position to MITM enough to fake a .onion TLD could probably
> mimic whatever test you use to verify whether Tor is active (or otherwise
> proxy everything through to Tor proper, except for whatever evil they're
> doing)
My suggestion: only allow `.onion` in HTTP only mode when a hidden pref
is set to true. Set it to false when shipping HTTPS Everywhere. Tor
Browser and Tails would override it.
Power users would be free to shoot themselves in the foot by not used
the recommended way to browse the web with Tor and enabling that option.
--
Lunar <lunar at torproject.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20150707/d2c249d4/attachment.sig>
More information about the HTTPS-Everywhere
mailing list