[tor-dev] [HTTPS-Everywhere] "darkweb everywhere" extension

[yan]

+tor-dev. tl;dr: Would be nice if there were an HTTP response header
that allows HTTPS servers to indicate their .onion domain names so that
HTTPS Everywhere can automatically redirect to the .onion version in the
future if the user chooses a "use THS when available" preference.

I imagine the header semantics and processing would be similar to HSTS.
It would only be noted when sent over TLS and have the max-age and
include-subdomains fields.

-yan

yan wrote:
> Hi all,
> 
> Some people have requested for the "Darkweb Everywhere" extension [1] to
> be integrated into HTTPS Everywhere. This is an extension for Tor
> Browser that redirects users to the Tor Hidden Service version of a
> website when possible.
> 
> I'm supportive of the idea; however, I'm worried that since .onion
> domain names are usually unrelated to a site's regular domain name, a
> malicious ruleset would be hard to detect. AFAIK Darkweb Everywhere only
> defends against this by publishing a doc in their Github repo that cites
> evidence for each ruleset [2].
> 
> What if, instead, we asked website owners to send an HTTP header that
> indicates the Tor Hidden Service version of their website? Then HTTPS
> Everywhere could cache the result (like HSTS) and redirect to the THS
> version automatically in the future if the user opts-in.
> 
> If this is something that EFF/Tor would be willing to advocate for, I
> would be happy to draft a specification for the header syntax and
> intended UA behavior.
> 
> Thanks,
> Yan
> 
> 
> [1] https://github.com/chris-barry/darkweb-everywhere/
> [2]
> https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
>