[tor-dev] UX improvement proposal: Onion auto-redirects using Onion-Location HTTP header

[Iain Learmonth]

Hi,

On 23/10/18 18:15, Alec Muffett wrote:
> But any website that takes an interest (e.g. tracks Cloudflare's
> "xx-tor" country geolocation, or whatever it is called) - regarding the
> reputation of the source IP address will KNOW that the user is coming
> from Tor. 
> 
> We live in a weird world where the Tor community still believes that
> systems administrators don't have trivial access to IP reputation databases.

IP reputation databases do not reflect the current state of the Tor
network exactly. They may be pretty close, even 99%, but they're not
exact. You will get false positives, and a lot of false negatives too.

Improving exit detection is on the list of tasks for Tor Metrics but it
is not our top priority.

> 3) if sites wish to follow Privacy International's example and
redirect from a DNS TLD to ".onion" then that is something they should
implement at layer 7, by dint of identifying whether the user has
arrived over Tor.

Given that false positives are possible, doing this conditionally is
going to give some people a terrible user experience by redirecting them
to an onion they cannot possibly reach in their browser.

This is why I like the Onion-Location header. You don't have to have
this conditional. You don't need to have any infrastructure to provide
lookups from databases (which ideally would need to be refreshed
constantly). You just always serve the header. This also gives you the
opportunity to advertise that a service is available via Onion service
to all users, some of which might have a browser add-on that lets them
know about these things.

Thanks,
Iain.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20181026/ff415410/attachment.sig>