[tor-bugs] #28005 [HTTPS Everywhere/EFF-HTTPS Everywhere]: Officially support onions in HTTPS-Everywhere

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 16 16:17:02 UTC 2019 

#28005: Officially support onions in HTTPS-Everywhere
-------------------------------------------------+-------------------------
 Reporter:  asn                                  |          Owner:  legind
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  HTTPS Everywhere/EFF-HTTPS           |        Version:
  Everywhere                                     |
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-hs https-everywhere tor-ux       |  Actual Points:
  network-team-roadmap-november                  |
Parent ID:  #30029                               |         Points:  20
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor27-must
-------------------------------------------------+-------------------------

Comment (by asn):

 Here are some notes from the plans we made in Stockholm in the meeting
 between
 me, antonela, sysrqb, redshiftzero, geko and dgoulet:

 ----

 Scope of work:
 - First iteration will include onion rules for securedrop websites
   (e.g. `nytimes.securedrop.tor.onion -> nyttips4bmquxfzw.onion`)
 - Need to add a toolbar button in the ffox UI to show that a redirect
 happened
 - Rewrite URL in URL bar (only show the human-readable url)
 - Add support for viewing rulesets (?)
 - See how update channels work and whether we should disable them or not.

 Out of scope:
 - First iteration will not allow people to easily add their own rules

 TLD scheme:
 - Three options for tld scheme:

   a) nytimes.securedrop.onion   (ambiguous and probably unsafe)
   b) nytimes.securedrop.tor.onion   (safe but bad UX)
   c) nytimes.securedrop.tor    (good UX but DNS leaks in other browsers)

   We decided to ditch (a) from our options and do either (b) or (c). (b)
 is the
   safest and we should probably roll with that (?).

 FPF plan:
 - FPF will change their securedrop directory to include ".tor.onion" links
 for
   their various instances.

 Metadata:
 - 3 months of work are enough

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28005#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list