
<p dir="ltr">How about, instead, focus that energy into addressing the countless websites that are broken because of https everywhere? I've submitted my list of broken sites numerous times. </p>

<div class="gmail_quote">On Nov 3, 2014 11:54 AM,  <<a href="mailto:https-everywhere-request@lists.eff.org">https-everywhere-request@lists.eff.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send HTTPS-Everywhere mailing list submissions to<br>

        <a href="mailto:https-everywhere@lists.eff.org">https-everywhere@lists.eff.org</a><br>

<br>

To subscribe or unsubscribe via the World Wide Web, visit<br>

        <a href="https://lists.eff.org/mailman/listinfo/https-everywhere" target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br>

or, via email, send a message with subject or body 'help' to<br>

        <a href="mailto:https-everywhere-request@lists.eff.org">https-everywhere-request@lists.eff.org</a><br>

<br>

You can reach the person managing the list at<br>

        <a href="mailto:https-everywhere-owner@lists.eff.org">https-everywhere-owner@lists.eff.org</a><br>

<br>

When replying, please edit your Subject line so it is more specific<br>

than "Re: Contents of HTTPS-Everywhere digest..."<br>

<br>

<br>

Today's Topics:<br>

<br>

   1. "darkweb everywhere" extension (yan)<br>

   2. Re: "darkweb everywhere" extension (yan)<br>

   3. Re: "darkweb everywhere" extension (Maxim Nazarenko)<br>

   4. Re: "darkweb everywhere" extension (Alex Xu)<br>

   5. Re: "darkweb everywhere" extension (Nick Semenkovich)<br>

<br>

<br>

----------------------------------------------------------------------<br>

<br>

Message: 1<br>

Date: Mon, 03 Nov 2014 05:09:15 +0000<br>

From: yan <<a href="mailto:yan@mit.edu">yan@mit.edu</a>><br>

To: https-everywhere <<a href="mailto:https-everywhere@lists.eff.org">https-everywhere@lists.eff.org</a>><br>

Subject: [HTTPS-Everywhere] "darkweb everywhere" extension<br>

Message-ID: <<a href="mailto:54570DFB.6090809@mit.edu">54570DFB.6090809@mit.edu</a>><br>

Content-Type: text/plain; charset=utf-8<br>

<br>

Hi all,<br>

<br>

Some people have requested for the "Darkweb Everywhere" extension [1] to<br>

be integrated into HTTPS Everywhere. This is an extension for Tor<br>

Browser that redirects users to the Tor Hidden Service version of a<br>

website when possible.<br>

<br>

I'm supportive of the idea; however, I'm worried that since .onion<br>

domain names are usually unrelated to a site's regular domain name, a<br>

malicious ruleset would be hard to detect. AFAIK Darkweb Everywhere only<br>

defends against this by publishing a doc in their Github repo that cites<br>

evidence for each ruleset [2].<br>

<br>

What if, instead, we asked website owners to send an HTTP header that<br>

indicates the Tor Hidden Service version of their website? Then HTTPS<br>

Everywhere could cache the result (like HSTS) and redirect to the THS<br>

version automatically in the future if the user opts-in.<br>

<br>

If this is something that EFF/Tor would be willing to advocate for, I<br>

would be happy to draft a specification for the header syntax and<br>

intended UA behavior.<br>

<br>

Thanks,<br>

Yan<br>

<br>

<br>

[1] <a href="https://github.com/chris-barry/darkweb-everywhere/" target="_blank">https://github.com/chris-barry/darkweb-everywhere/</a><br>

[2]<br>

<a href="https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md" target="_blank">https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md</a><br>

<br>

<br>

------------------------------<br>

<br>

Message: 2<br>

Date: Mon, 03 Nov 2014 05:48:03 +0000<br>

From: yan <<a href="mailto:yan@mit.edu">yan@mit.edu</a>><br>

To: https-everywhere <<a href="mailto:https-everywhere@lists.eff.org">https-everywhere@lists.eff.org</a>>,<br>

        "<a href="mailto:tor-dev@lists.torproject.org">tor-dev@lists.torproject.org</a>" <<a href="mailto:tor-dev@lists.torproject.org">tor-dev@lists.torproject.org</a>><br>

Subject: Re: [HTTPS-Everywhere] "darkweb everywhere" extension<br>

Message-ID: <<a href="mailto:54571713.4000805@mit.edu">54571713.4000805@mit.edu</a>><br>

Content-Type: text/plain; charset=windows-1252<br>

<br>

+tor-dev. tl;dr: Would be nice if there were an HTTP response header<br>

that allows HTTPS servers to indicate their .onion domain names so that<br>

HTTPS Everywhere can automatically redirect to the .onion version in the<br>

future if the user chooses a "use THS when available" preference.<br>

<br>

I imagine the header semantics and processing would be similar to HSTS.<br>

It would only be noted when sent over TLS and have the max-age and<br>

include-subdomains fields.<br>

<br>

-yan<br>

<br>

yan wrote:<br>

> Hi all,<br>

><br>

> Some people have requested for the "Darkweb Everywhere" extension [1] to<br>

> be integrated into HTTPS Everywhere. This is an extension for Tor<br>

> Browser that redirects users to the Tor Hidden Service version of a<br>

> website when possible.<br>

><br>

> I'm supportive of the idea; however, I'm worried that since .onion<br>

> domain names are usually unrelated to a site's regular domain name, a<br>

> malicious ruleset would be hard to detect. AFAIK Darkweb Everywhere only<br>

> defends against this by publishing a doc in their Github repo that cites<br>

> evidence for each ruleset [2].<br>

><br>

> What if, instead, we asked website owners to send an HTTP header that<br>

> indicates the Tor Hidden Service version of their website? Then HTTPS<br>

> Everywhere could cache the result (like HSTS) and redirect to the THS<br>

> version automatically in the future if the user opts-in.<br>

><br>

> If this is something that EFF/Tor would be willing to advocate for, I<br>

> would be happy to draft a specification for the header syntax and<br>

> intended UA behavior.<br>

><br>

> Thanks,<br>

> Yan<br>

><br>

><br>

> [1] <a href="https://github.com/chris-barry/darkweb-everywhere/" target="_blank">https://github.com/chris-barry/darkweb-everywhere/</a><br>

> [2]<br>

> <a href="https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md" target="_blank">https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md</a><br>

> _______________________________________________<br>

> HTTPS-Everywhere mailing list<br>

> <a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>

> <a href="https://lists.eff.org/mailman/listinfo/https-everywhere" target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br>

><br>

<br>

<br>

<br>

------------------------------<br>

<br>

Message: 3<br>

Date: Mon, 3 Nov 2014 15:14:07 +0300<br>

From: Maxim Nazarenko <<a href="mailto:nz.phone@mail.ru">nz.phone@mail.ru</a>><br>

To: <a href="mailto:yan@mit.edu">yan@mit.edu</a><br>

Cc: https-everywhere <<a href="mailto:https-everywhere@lists.eff.org">https-everywhere@lists.eff.org</a>><br>

Subject: Re: [HTTPS-Everywhere] "darkweb everywhere" extension<br>

Message-ID:<br>

        <CAKGkX-3Hn7ru=<a href="mailto:m8tTNsjA9%2BqfLYWOU5L92QZsiT28m_HHvM1ow@mail.gmail.com">m8tTNsjA9+qfLYWOU5L92QZsiT28m_HHvM1ow@mail.gmail.com</a>><br>

Content-Type: text/plain; charset=UTF-8<br>

<br>

Sounds like a great idea. Even Facebook runs its hidden service nowadays...<br>

<br>

My two cents:<br>

1) The specification should be extensible, so other networks (such as<br>

I2P) would be covered.<br>

2) Well-known locations might also be used (not sure if this is a good idea).<br>

3) From an extension user viewpoint, preload list would be very nice.<br>

<br>

Best regards,<br>

Maxim Nazarenko<br>

<br>

On 3 November 2014 08:09, yan <<a href="mailto:yan@mit.edu">yan@mit.edu</a>> wrote:<br>

> Hi all,<br>

><br>

> Some people have requested for the "Darkweb Everywhere" extension [1] to<br>

> be integrated into HTTPS Everywhere. This is an extension for Tor<br>

> Browser that redirects users to the Tor Hidden Service version of a<br>

> website when possible.<br>

><br>

> I'm supportive of the idea; however, I'm worried that since .onion<br>

> domain names are usually unrelated to a site's regular domain name, a<br>

> malicious ruleset would be hard to detect. AFAIK Darkweb Everywhere only<br>

> defends against this by publishing a doc in their Github repo that cites<br>

> evidence for each ruleset [2].<br>

><br>

> What if, instead, we asked website owners to send an HTTP header that<br>

> indicates the Tor Hidden Service version of their website? Then HTTPS<br>

> Everywhere could cache the result (like HSTS) and redirect to the THS<br>

> version automatically in the future if the user opts-in.<br>

><br>

> If this is something that EFF/Tor would be willing to advocate for, I<br>

> would be happy to draft a specification for the header syntax and<br>

> intended UA behavior.<br>

><br>

> Thanks,<br>

> Yan<br>

><br>

><br>

> [1] <a href="https://github.com/chris-barry/darkweb-everywhere/" target="_blank">https://github.com/chris-barry/darkweb-everywhere/</a><br>

> [2]<br>

> <a href="https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md" target="_blank">https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md</a><br>

> _______________________________________________<br>

> HTTPS-Everywhere mailing list<br>

> <a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>

> <a href="https://lists.eff.org/mailman/listinfo/https-everywhere" target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br>

<br>

<br>

------------------------------<br>

<br>

Message: 4<br>

Date: Mon, 03 Nov 2014 08:08:23 -0500<br>

From: Alex Xu <<a href="mailto:alex_y_xu@yahoo.ca">alex_y_xu@yahoo.ca</a>><br>

To: <a href="mailto:https-everywhere@lists.eff.org">https-everywhere@lists.eff.org</a>, <a href="mailto:tor-dev@lists.torproject.org">tor-dev@lists.torproject.org</a>,<br>

        <a href="mailto:tor-talk@lists.torproject.org">tor-talk@lists.torproject.org</a><br>

Subject: Re: [HTTPS-Everywhere] "darkweb everywhere" extension<br>

Message-ID: <<a href="mailto:54577E47.90304@yahoo.ca">54577E47.90304@yahoo.ca</a>><br>

Content-Type: text/plain; charset="utf-8"<br>

<br>

On 03/11/14 12:48 AM, yan wrote:<br>

> +tor-dev. tl;dr: Would be nice if there were an HTTP response header<br>

> that allows HTTPS servers to indicate their .onion domain names so that<br>

> HTTPS Everywhere can automatically redirect to the .onion version in the<br>

> future if the user chooses a "use THS when available" preference.<br>

><br>

> I imagine the header semantics and processing would be similar to HSTS.<br>

> It would only be noted when sent over TLS and have the max-age and<br>

> include-subdomains fields.<br>

><br>

> -yan<br>

><br>

> yan wrote:<br>

>> Hi all,<br>

>><br>

>> Some people have requested for the "Darkweb Everywhere" extension [1] to<br>

>> be integrated into HTTPS Everywhere. This is an extension for Tor<br>

>> Browser that redirects users to the Tor Hidden Service version of a<br>

>> website when possible.<br>

>><br>

>> I'm supportive of the idea; however, I'm worried that since .onion<br>

>> domain names are usually unrelated to a site's regular domain name, a<br>

>> malicious ruleset would be hard to detect. AFAIK Darkweb Everywhere only<br>

>> defends against this by publishing a doc in their Github repo that cites<br>

>> evidence for each ruleset [2].<br>

>><br>

>> What if, instead, we asked website owners to send an HTTP header that<br>

>> indicates the Tor Hidden Service version of their website? Then HTTPS<br>

>> Everywhere could cache the result (like HSTS) and redirect to the THS<br>

>> version automatically in the future if the user opts-in.<br>

>><br>

>> If this is something that EFF/Tor would be willing to advocate for, I<br>

>> would be happy to draft a specification for the header syntax and<br>

>> intended UA behavior.<br>

>><br>

>> Thanks,<br>

>> Yan<br>

>><br>

>><br>

>> [1] <a href="https://github.com/chris-barry/darkweb-everywhere/" target="_blank">https://github.com/chris-barry/darkweb-everywhere/</a><br>

>> [2]<br>

>> <a href="https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md" target="_blank">https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md</a><br>

>> _______________________________________________<br>

>> HTTPS-Everywhere mailing list<br>

>> <a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>

>> <a href="https://lists.eff.org/mailman/listinfo/https-everywhere" target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br>

>><br>

><br>

> _______________________________________________<br>

> HTTPS-Everywhere mailing list<br>

> <a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>

> <a href="https://lists.eff.org/mailman/listinfo/https-everywhere" target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br>

><br>

<br>

<a href="https://lists.torproject.org/pipermail/tor-talk/2014-May/032906.html" target="_blank">https://lists.torproject.org/pipermail/tor-talk/2014-May/032906.html</a><br>

<br>

-------------- next part --------------<br>

A non-text attachment was scrubbed...<br>

Name: signature.asc<br>

Type: application/pgp-signature<br>

Size: 819 bytes<br>

Desc: OpenPGP digital signature<br>

URL: <<a href="https://lists.eff.org/pipermail/https-everywhere/attachments/20141103/7ea26cfe/attachment-0001.sig" target="_blank">https://lists.eff.org/pipermail/https-everywhere/attachments/20141103/7ea26cfe/attachment-0001.sig</a>><br>

<br>

------------------------------<br>

<br>

Message: 5<br>

Date: Mon, 3 Nov 2014 10:53:58 -0600<br>

From: Nick Semenkovich <<a href="mailto:nick@semenkovich.com">nick@semenkovich.com</a>><br>

To: Alex Xu <<a href="mailto:alex_y_xu@yahoo.ca">alex_y_xu@yahoo.ca</a>><br>

Cc: <a href="mailto:tor-talk@lists.torproject.org">tor-talk@lists.torproject.org</a>, https-everywhere<br>

        <<a href="mailto:https-everywhere@lists.eff.org">https-everywhere@lists.eff.org</a>>, <a href="mailto:tor-dev@lists.torproject.org">tor-dev@lists.torproject.org</a><br>

Subject: Re: [HTTPS-Everywhere] "darkweb everywhere" extension<br>

Message-ID:<br>

        <CAJKgmrW5kuOxWLAe_3NVP3WCoy0pCdWu9E3Da6m=+<a href="mailto:8XUnzRdTA@mail.gmail.com">8XUnzRdTA@mail.gmail.com</a>><br>

Content-Type: text/plain; charset="utf-8"<br>

<br>

This is a great idea! Any thoughts on extending parts of this to Chrome?<br>

<br>

I understand there are significant issues with Chrome & Tor, though I also<br>

think making Tor more visible and accessible to end-users is a good goal.<br>

<br>

Some options:<br>

- Flashing the HTTPSe icon when a .onion site is available (or showing<br>

another symbol, etc.)<br>

- Allow one-click to tor2web (this has some broader implications ... I<br>

worry users would think they were somehow anonymous using tor2web)<br>

<br>

- Nick<br>

<br>

[1]<br>

<a href="https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-fingerprinting" target="_blank">https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-fingerprinting</a><br>

<br>

On Mon, Nov 3, 2014 at 7:08 AM, Alex Xu <<a href="mailto:alex_y_xu@yahoo.ca">alex_y_xu@yahoo.ca</a>> wrote:<br>

<br>

> On 03/11/14 12:48 AM, yan wrote:<br>

> > +tor-dev. tl;dr: Would be nice if there were an HTTP response header<br>

> > that allows HTTPS servers to indicate their .onion domain names so that<br>

> > HTTPS Everywhere can automatically redirect to the .onion version in the<br>

> > future if the user chooses a "use THS when available" preference.<br>

> ><br>

> > I imagine the header semantics and processing would be similar to HSTS.<br>

> > It would only be noted when sent over TLS and have the max-age and<br>

> > include-subdomains fields.<br>

> ><br>

> > -yan<br>

> ><br>

> > yan wrote:<br>

> >> Hi all,<br>

> >><br>

> >> Some people have requested for the "Darkweb Everywhere" extension [1] to<br>

> >> be integrated into HTTPS Everywhere. This is an extension for Tor<br>

> >> Browser that redirects users to the Tor Hidden Service version of a<br>

> >> website when possible.<br>

> >><br>

> >> I'm supportive of the idea; however, I'm worried that since .onion<br>

> >> domain names are usually unrelated to a site's regular domain name, a<br>

> >> malicious ruleset would be hard to detect. AFAIK Darkweb Everywhere only<br>

> >> defends against this by publishing a doc in their Github repo that cites<br>

> >> evidence for each ruleset [2].<br>

> >><br>

> >> What if, instead, we asked website owners to send an HTTP header that<br>

> >> indicates the Tor Hidden Service version of their website? Then HTTPS<br>

> >> Everywhere could cache the result (like HSTS) and redirect to the THS<br>

> >> version automatically in the future if the user opts-in.<br>

> >><br>

> >> If this is something that EFF/Tor would be willing to advocate for, I<br>

> >> would be happy to draft a specification for the header syntax and<br>

> >> intended UA behavior.<br>

> >><br>

> >> Thanks,<br>

> >> Yan<br>

> >><br>

> >><br>

> >> [1] <a href="https://github.com/chris-barry/darkweb-everywhere/" target="_blank">https://github.com/chris-barry/darkweb-everywhere/</a><br>

> >> [2]<br>

> >><br>

> <a href="https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md" target="_blank">https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md</a><br>

> >> _______________________________________________<br>

> >> HTTPS-Everywhere mailing list<br>

> >> <a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>

> >> <a href="https://lists.eff.org/mailman/listinfo/https-everywhere" target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br>

> >><br>

> ><br>

> > _______________________________________________<br>

> > HTTPS-Everywhere mailing list<br>

> > <a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>

> > <a href="https://lists.eff.org/mailman/listinfo/https-everywhere" target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br>

> ><br>

><br>

> <a href="https://lists.torproject.org/pipermail/tor-talk/2014-May/032906.html" target="_blank">https://lists.torproject.org/pipermail/tor-talk/2014-May/032906.html</a><br>

><br>

><br>

> _______________________________________________<br>

> HTTPS-Everywhere mailing list<br>

> <a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>

> <a href="https://lists.eff.org/mailman/listinfo/https-everywhere" target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br>

><br>

<br>

<br>

<br>

--<br>

Nick Semenkovich<br>

Laboratory of Dr. Jeffrey I. Gordon<br>

Medical Scientist Training Program<br>

School of Medicine<br>

Washington University in St. Louis<br>

<a href="https://nick.semenkovich.com/" target="_blank">https://nick.semenkovich.com/</a><br>

-------------- next part --------------<br>

An HTML attachment was scrubbed...<br>

URL: <<a href="https://lists.eff.org/pipermail/https-everywhere/attachments/20141103/96d2994b/attachment.html" target="_blank">https://lists.eff.org/pipermail/https-everywhere/attachments/20141103/96d2994b/attachment.html</a>><br>

<br>

------------------------------<br>

<br>

Subject: Digest Footer<br>

<br>

_______________________________________________<br>

HTTPS-Everywhere mailing list<br>

<a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>

<a href="https://lists.eff.org/mailman/listinfo/https-everywhere" target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br>

<br>

------------------------------<br>

<br>

End of HTTPS-Everywhere Digest, Vol 53, Issue 1<br>

***********************************************<br>

</blockquote></div>