-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hey y'all, Copying this over from a reply I made to tor-talk (since I mentioned it over in the #tor-onions IRC channel). Basically 1) confirming that alt-svc does seem to work consistently in newer TBB, and 2) a fun accident in sending a HTTP 302 to folks that get to the onion via alt-svc.
[...] In any case, I did a quick test on propublica.org *not* using cloudflare's built-in onion service feature (since we're running our own with our own EV cert anyway), and wanted to mention it here:
Set `alt-svc: h2="www.propub3r6espa33w.onion:443"; ma=300`, and looks like TBB (8.5a1) actually did silently switch over to using the onion for the connection. As above, there'd generally be no outward indication to the user that this has happened, except I'd actually configured the onion proxying bits (right now running nginx) to throw the browser a 302 redirect to the onion domain if the HTTP Host header isn't the onion domain. So, I'd inadvertently set this up to work where the user actually > does get fully redirected over to the onion.
(I've since taken off the alt-svc header, since that was just a quick test and I'll need to figure out if that's behavior we want in lieu of the TBB UI getting an explicit user interaction before moving to the alt-svc. But figured that's worth mentioning for folks who _do_ want to easily make a clearnet domain redir TBB to an onion domain.)
[1]: https://trac.torproject.org/projects/tor/ticket/27590 [2]: https://trac.torproject.org/projects/tor/attachment/ticket/21952/21952.png
Anyway, that was a fun and awesome surprise. Perhaps should be obvious, but honestly I had no idea how the alt-svc behavior was going to work. Hopefully this is helpful to others? - -- Mike Tigas https://mike.tig.as/ -----BEGIN PGP SIGNATURE----- Comment: https://mike.tig.as/pgp/ Comment: http://tigas3l7uusztiqu.onion/pgp/ iQIzBAEBCgAdFiEEGzfVMu3Uhpsce8OaFLh4upXaaEoFAluley0ACgkQFLh4upXa aEp25g//ZvfORMnDMc4kf0OicTYRsv0mJUA/QS7GAqtpNX4Su5iqQWRYN8yE80iU a3u06z+V1lVCLW5GKjGdPZjcxtAaRmq+fezR9ScUhxIg+BdeApQHUpYgf7DABZtL ImYNx8dO3gkFjbmA0P6Cpxzf5Fl8nYMuyH40LivlufWERapYX9r6YKTR0o0zmkzj 06A9E7wPGeJxnbD+pc8XxSdtCJhxFRGVqoT9MqnRkiMTRU1Dh2Fbriyaqx1iHj/H CjCGIE3A9WmGdUKlRgcJzMFoRz/GXLnxGzEjT3eOu56BA3CY/ShYyUMmUf3ILj0s 8L5UHs7zlzSWFpfqO7kYrm0IJForS32DxtsQHGcVyz6Hi+UHBHoWob+1caukWX4G CI7sC+rw//M3iGxJddRUYHTNh8ZJSpglDAP0mBd3qBCTvBHTDuqBopfLr4/Vs3MY DKTYmjT+vp2HeXu3gT7S8E+aF40WmFNmQLBvnxqb0PclbhRxXhd+5UxAfzv6EW0L oZgL4vQzuEjV4j15vozqlojTInIlrpLdWAmx0xAhRfQIdjSHlWWXhkKdGIl12H76 wswRkBi2LHBzPANx7VkMT7FItF7+Hcw5MwEsZ8NJV7P6mWZ8CtT8fUJaPLAAYaBX q0UELMhkXQi6XoX7M8WRfY/d8R71fNUgzJTUNffktE3yBpxdliWIuAQBEwoAHRYh BOk8LVk3LzcQmzAuvZFvvD/f12DEBQJbpXstAAoJEJFvvD/f12DE4fkCCM54+/b8 Z3qI9XBUC2iNgjaFuVYd8IgS0ikl5xLMePJTZVp1FxrNhBmqd0G8JwhRxOq6PNWf tPH7VLpv1jtPX/AGAgkBqemkYIZnEGujCdQuiYjyHDsiWofIjcycX3ei593IDMXp NqdrFz2/auLeZYHBPKaH5ts4Vj+xIAW4Zk0DBafmQfM= =XpLQ -----END PGP SIGNATURE-----