[tor-dev] UX improvement proposal: Onion auto-redirects using Alt-Svc HTTP header

Philipp Winter phw at nymity.ch
Wed Nov 15 16:16:44 UTC 2017

On Tue, Nov 14, 2017 at 02:51:55PM +0200, George Kadianakis wrote:
> Let me know what you think :)

Section 9.4 in the Alt-Svc draft talks about abusing the header for
tracking.  In particular, a malicious website could give each Tor user
a unique onion domain to track their activity.  That's particularly
problematic if the "persist" flag is used in the Alt-Svc header.

Granted, malicious websites can already do that to an extent by serving
unique onion domains on each page load, but we should still keep this
issue in mind.

More information about the tor-dev mailing list