[tor-dev] Special handling of .onion domains in Chrome/Firefox (post-IETF-standarization)

Alec Muffett alecm at fb.com
Mon Nov 9 20:59:13 UTC 2015

> On Nov 2, 2015, at 20:39, Paul Syverson <paul.syverson at nrl.navy.mil> wrote:
> On Mon, Nov 02, 2015 at 09:05:26PM +0200, George Kadianakis wrote:
>> Hello,
>> as you might know, the IETF recently decided to formally recognize .onion names
>> as special-use domain names [0].
>> This means that normal browsers like Chrome and Firefox can now
>> handle onion domains in a special manner since they know that they
>> only correspond to Tor.
>> How would we like those browsers to treat onions?
>> For starters, those browsers should refuse to connect to onion
>> domains entirely.  Onions don't work on normal browsers anyway, and
>> also this will reduce the onion leakage through the DNS system [1].
> Well, maybe not "entirely". Cf. below.

Tangential aside: Chrome currently has a bug open in that it does not yet support onion certificates:

https://code.google.com/p/chromium/issues/detail?id=483614 <https://code.google.com/p/chromium/issues/detail?id=483614>

The Onion RFC lays a burden on DNS to NXDOMAIN onion lookups.

It says nothing about having browsers block them.

Perhaps the better thing for Tor adoption is - privacy purism enforced by TBB aside - to enable adoption.

Allow (encourage?) non-TBB browsers to be capable to using Onions.

Roger, after all, stood up movingly at the Aaron Swartz memorial and spoke of letting people pick the security that _they_ wanted, when connecting to a site.

This would, I feel, accord with that position.

    - alec


> It might be a better idea to point them to tor2web. For one thing
> browser providers will be happier with a display that doesn't directly
> tell people they need a different browser to get to an intended
> address.

Pointing people at tor2web would break SSL, but see this thread, which is a side-show to the larger "how can we get personal onion addresses" discussion: https://twitter.com/AlecMuffett/status/658440124624183296 <https://twitter.com/AlecMuffett/status/658440124624183296>

> The display could say something like:
>  Oops, seems like you attempted to visit an onion address, a
>  specialized address that provides additional security for
>  connections to it. The site can be reached via proxy at
>  [tor2web-link-to-relevant-onionsite]. To obtain the intended
>  security for access to such sites, follow <A HREF=
>  "[link-to-page-w-brief-simple-explanation-n-prominent-link-to-download-TBB]">
>  these few simple steps</A> .
> No doubt some wordsmithing could make this better in various respects
> (amongst them, shorter).

Phishing-potential in such dialogues, here?


>> What else could we do here? And is there anyone who can lobby for the right
>> behavior? :)
>> Of course, we all know that that inevitably those browsers will need
>> to bundle Tor, if they want to visit the actually secure onion
>> Internet. But let's give them a bit more time till they realize this
>> :)
> I think something like the above improves the transition path, helping
> the world along to better security instead of just waiting for the
> world to catch up. (And in any case, perhaps at least a few more
> months work would better prepare us for the resulting attention.)
> aloha,
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20151109/366c6f3b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20151109/366c6f3b/attachment-0001.sig>

More information about the tor-dev mailing list