On Tue, Jul 21, 2020 at 01:47:40AM +0200, Sebastian Hahn wrote:
If there were some sensible way to have https which terminates at their end while they don't have to operate a hidden service, I am pretty sure we could work something out and I would obviously go for it.
For our research group's university-run web server (https://crysp.uwaterloo.ca/), I do a "split onion/https" setup where the machine running the onion service (http://uwcryspionvholmkfxoqt2xns5mvnct34ytacugxtqpqrnka2oqm6kqd.onion/) has a localhost-listening proxy, which can be a pretty lightweight custom thing, or a very simple Apache (for example) configuration:
SslProxyEngine On ProxyPass / https://crysp.uwaterloo.ca/
So then it's onion from the client to the onion service, HTTP to the localhost proxy, and HTTPS from the proxy to the remote (but in the same building) server. If there's something amiss with the HTTPS connection to the remote server, presumably Apache will complain and not send, e.g., secure cookies. That's admittedly up to Apache, and not the client, but it's better than the "last mile" being plain HTTP. And for bonus points, the people who run the real backend webserver don't have to do anything special at all.
I wonder if a "lightweight custom proxy" that just fetches pages from one specific host over https might get bundled with tor for easy onion service setup?