[tor-bugs] #21952 [User Experience]: Increasing the use of onion services through automatic redirects and aliasing
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 20 13:02:49 UTC 2017
#21952: Increasing the use of onion services through automatic redirects and
aliasing
-----------------------------+-----------------------
Reporter: linda | Owner: linda
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: User Experience | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------+-----------------------
Comment (by ilf):
Thanks Linda for opening this ticket and everyone for jumping in.
Unfortunately, I feel we are both a little too quick and merging too many
things into one.
So first things first:
== Let's auto-redirect Tor-Users to Hidden Services! ==
Some websites already redirect Tor users to their Hidden Services:
* https://securitywithoutborders.org/
* https://www.privacyinternational.org/
* https://lists.riseup.net/
* https://pad.riseup.net/
* http://ev0ke.net/
(We planned to publically document how to do this. And then discuss this
on tor-users. This ticket surpassed our timeline.)
== This is awesome ==
1. Other websites punish Tor users. Let's embrace (and "reward") them.
2. Discovering onions is hard. Let's make it easier.
3. Client-side redirects (like https://github.com/chris-barry/darkweb-
everywhere and #19812) are nice. But server-side redirects are better:
a. The server knows its onion, the client would have to verify it out-
of-band or trust someone else.
b. The server admin '''already''' controls, "what sort of security
properties they get while connecting to your website", [comment:17 arma].
We are doing the same thing with redirects to HTTPS, TLS properties,
logging policies, etc. It's the admins server, afterall.
== User response ==
Most users didn't freak out. We now have hundreds of users and most don't
provide feedback. (Like always.)
Some users do provide feedback, and most say they like it. (Like me.)
As [comment:16 micah] said, there was only '''one''' user that ran an exit
at his home but didn't use TBB himself. He now does.
This works the other way around, too. When I shared a .onion address via
chat, the other user knew what it was, but never bothered to get TBB
before. To view the URL, they got TBB - and still use it today. I would
not have shared the onion URL if I hadn't been auto-redirected.
And there was '''one''' user, who "freaked out" about the redirect. And
only because that user used TBB, but didn't know what hidden services are.
This is exactly the kind of person, i '''want''' to get using TBB.
== Moving foward ==
The original issue we gave to Linda was the '''one''' user "freaking out"
about the server-side redirect.
A rough first idea was: ''"Maybe TBB should inform users about .onion the
first time they visit one?"''
From there it evolved into this bigger debate about UX, URL bars, tabs,
HTTPS, same-origin policy, darkweb everywhere, and more.
I'm not exactly sure where we move from here.
1. Maybe a first step would be to discuss, if TBB should do something the
very first time it visits a .onion.
2. When we finally got around to documenting the server-side-onion-
redirect, I propose to discuss that on tor-users.
Opinions?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21952#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list