(tl;dr: We'd like more information about how onion services are deployed, and whether we should re-think about the current assumption that connections with all onion services are secure. Do you send HTTP (unencrypted/unauthenticated) traffic between the onion service and a remote web server?)
Hello everyone,
Recently we received a question and concern regarding how Tor Browser interacts with web sites over HTTP. Over the last few years, Tor Browser has increasingly trusted HTTP connections with a .onion address (HTTP+.onion) due to the inherent security properties of onion services.
The security assumptions Tor Browser makes about these connections is based on another critical assumption: connections between the onion service and the destination web server are "secure" [0]. This assumption is correct when an onion service is run beside the web server and connections between the two components are over localhost/loopback/etc. However, onion services can connect to a remote web server instead, and when the connection between those hosts/components is not secure then Tor Browser's security assumption about the overall connection is wrong. Let's call this latter configuration an "onion tunnel" (for lack of a better term right now).
We are now aware some web sites are deploying onion tunnels where the connection between the onion service and the web server is not secure. As a result, we are considering reverting [1] a change of behavior in Tor Browser where "secure cookies" may leak in plaintext under some circumstances in an onion tunnel deployment.
Tor Browser treats connections with onion services as secure in other ways, as well. We'd like more information about how onion services are deployed, and whether we should re-think about the current assumption that all .onion connections are secure.
Do you know of deployments where HTTP (unencrypted/unauthenticated) traffic is sent between the onion service and a remote web server?
(Please email me privately if you feel more confortable with that.)
Thanks, Matt
[0] In this context, let's say "secure" means a connection that provides unidirectional authenticity, and bidirectional integrity and confidentiality. TLS is the typical example, but onion services provide these properties, too.
[1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40033