[tor-bugs] #21952 [User Experience]: Increasing the use of onion services through automatic redirects and aliasing
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Apr 21 07:05:33 UTC 2017
#21952: Increasing the use of onion services through automatic redirects and
aliasing
-----------------------------+-----------------------
Reporter: linda | Owner: linda
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: User Experience | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------+-----------------------
Comment (by ilf):
cypherpunks: What "safety" properties are you looking for?
If you visit https://pad.riseup.net, you put some level of trust in DNS,
TLS (with X.509), and the server itself. But once you connect to it, you
trust the server to give you the content that you requested and that it is
autorized to give you.
We propose to allow that server in that connection to tell you his hidden
service and redirect you to it. If this can successfully be MITM'd, so can
the original content. So the attack vector is no different there.
OTOH, this makes it a lot easier to discover the .onion of a server,
because clients get it directly from the server itself, not from any third
entity like plugins or other websites. This minimizes a human attack
vector like error or wrong information.
What I would recommend against is a redirect already on cleartext HTTP
without HTTPS, like http://ev0ke.net/ is currently doing. That's why we
want to test and discuss this to find and write down best practices.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21952#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list