[tor-bugs] #21952 [User Experience]: Increasing the use of onion services through automatic redirects and aliasing

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 21 07:05:33 UTC 2017


#21952: Increasing the use of onion services through automatic redirects and
aliasing
-----------------------------+-----------------------
 Reporter:  linda            |          Owner:  linda
     Type:  enhancement      |         Status:  new
 Priority:  Medium           |      Milestone:
Component:  User Experience  |        Version:
 Severity:  Normal           |     Resolution:
 Keywords:                   |  Actual Points:
Parent ID:                   |         Points:
 Reviewer:                   |        Sponsor:
-----------------------------+-----------------------

Comment (by ilf):

 cypherpunks: What "safety" properties are you looking for?

 If you visit https://pad.riseup.net, you put some level of trust in DNS,
 TLS (with X.509), and the server itself. But once you connect to it, you
 trust the server to give you the content that you requested and that it is
 autorized to give you.

 We propose to allow that server in that connection to tell you his hidden
 service and redirect you to it. If this can successfully be MITM'd, so can
 the original content. So the attack vector is no different there.

 OTOH, this makes it a lot easier to discover the .onion of a server,
 because clients get it directly from the server itself, not from any third
 entity like plugins or other websites. This minimizes a human attack
 vector like error or wrong information.

 What I would recommend against is a redirect already on cleartext HTTP
 without HTTPS, like http://ev0ke.net/ is currently doing. That's why we
 want to test and discuss this to find and write down best practices.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21952#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list