[tor-bugs] #28948 [Community]: Anonymous/private HTTP alternative.

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Dec 26 14:27:56 UTC 2018


#28948: Anonymous/private HTTP alternative.
---------------------+---------------------------
 Reporter:  nrG9pBu  |          Owner:  alison
     Type:  project  |         Status:  new
 Priority:  Medium   |      Component:  Community
  Version:           |       Severity:  Normal
 Keywords:  HTTP     |  Actual Points:
Parent ID:           |         Points:
 Reviewer:           |        Sponsor:
---------------------+---------------------------
 I request that the Tor project creates a new private protocol replacement
 for HTTP.

 HTTP is bloated, full of features preventing privacy and
 anonymity. Examples include request headers, cookies, referrer, etc.

 Tor and other anonymity and privacy tools try to work around these
 issues, but it's a whack-a-mole game.

 This new private protocol shall be a scaled-down version of HTTP, with
 any anonymity-hostile features removed. In fact it shall be minimal:
 having only the absolute minimum number of features that still allow
 basic web browsing.

 It is important that the protocol is designed by a trustworthy party,
 such as the Tor project, and not by any commercial parties. Said
 commercial parties are in fact currently working on HTTP protocol
 replacements, however user tracking and lack of privacy and anonymity
 is in their interest, as it supports their business model.

 Examples of problems that need to be addressed:

 Request headers, such as HTTP_ACCEPT headers are a user-tracking
 feature, are not needed and shall be absent.

 Request method (GET, POST, etc.): minimal design dictates that only
 one (HTTP GET-equivalent) method shall suffice.

 URL: To prevent user tracking in form of casing, the URL shall be
 lower-cased before a request is sent. The URL can be rendered with
 mixed case to the user for readability of course.

 Encryption: All requests must be encrypted with a predefined (not
 negotiated) scheme.

 No form of negotiation can take place between the client and server,
 including: compression, natural language, protocol versions, etc.

 The client must not identify itself in any way.

 Etc. Many other issues probably remain, of which I have no
 knowledge. That's why I turn to the Tor project, as your community is
 best-suited to identify and address other privacy issues with HTTP.

 To ease adoption, the new protocol could resemble technically HTTP as
 much as possible, so that minimal development is needed in software
 (clients, servers) to provide support.

 I can only hope that Tor community will accept this challenge.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28948>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list