[tor-dev] Special handling of .onion domains in Chrome/Firefox (post-IETF-standarization)

Paul Syverson paul.syverson at nrl.navy.mil
Mon Nov 2 20:39:49 UTC 2015 

On Mon, Nov 02, 2015 at 09:05:26PM +0200, George Kadianakis wrote:
> Hello,
> 
> as you might know, the IETF recently decided to formally recognize .onion names
> as special-use domain names [0].
> 
> This means that normal browsers like Chrome and Firefox can now
> handle onion domains in a special manner since they know that they
> only correspond to Tor.
> 
> How would we like those browsers to treat onions?
> 
> For starters, those browsers should refuse to connect to onion
> domains entirely.  Onions don't work on normal browsers anyway, and
> also this will reduce the onion leakage through the DNS system [1].

Well, maybe not "entirely". Cf. below.

> 
> An extra measure would be to persuade those browser vendors to
> display some sort of message to poor people who click onions using
> their normal browser. For example they could display:
> 
>                   Oops, seems like you visited an onion link.  You
>                   need a special anonymous browser for this:
>                   www.torproject.org

It might be a better idea to point them to tor2web. For one thing
browser providers will be happier with a display that doesn't directly
tell people they need a different browser to get to an intended
address. The display could say something like:

  Oops, seems like you attempted to visit an onion address, a
  specialized address that provides additional security for
  connections to it. The site can be reached via proxy at
  [tor2web-link-to-relevant-onionsite]. To obtain the intended
  security for access to such sites, follow <A HREF=
  "[link-to-page-w-brief-simple-explanation-n-prominent-link-to-download-TBB]">
  these few simple steps</A> .

No doubt some wordsmithing could make this better in various respects
(amongst them, shorter).
  
> 
> 
> What else could we do here? And is there anyone who can lobby for the right
> behavior? :)
> 
> Of course, we all know that that inevitably those browsers will need
> to bundle Tor, if they want to visit the actually secure onion
> Internet. But let's give them a bit more time till they realize this
> :)

I think something like the above improves the transition path, helping
the world along to better security instead of just waiting for the
world to catch up. (And in any case, perhaps at least a few more
months work would better prepare us for the resulting attention.)

aloha,
Paul

> 
> Cheers!
> 
> [0]: https://blog.torproject.org/blog/landmark-hidden-services-onion-names-reserved-ietf
>      https://www.rfc-editor.org/rfc/rfc7686.txt
>      https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
> 
> [1]: https://www.petsymposium.org/2014/papers/Thomas.pdf
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

More information about the tor-dev mailing list