[tor-onions] Random Onion Tip

Alec Muffett alecm at fb.com
Fri Feb 5 15:20:29 UTC 2016

Happy Friday!

Obligatory Onion tip: if you are running a public/onion hybrid site, you probably want to block Tor2web.

This may sound weird ("zomg block!") but since you are already on both networks then there is risk and isn't much benefit to being accessible via Tor2web.

We actually worked with Fabio/naif from Tor2web to achieve this, to keep people safer: https://github.com/globaleaks/Tor2web/issues/162 <https://github.com/globaleaks/Tor2web/issues/162>

The block is simple: deny (with a helpful message) Onion requests which contain a 'X-Tor2web' header; see the SecureDrop discussion at https://github.com/freedomofpress/securedrop/issues/43 <https://github.com/freedomofpress/securedrop/issues/43> for more context.

Whether your message issues or offers a redirect link is a matter of taste.  We chose not to.

The block is reinforced by those sites which are able to obtain an EV Onion certificate, which hampers use from uncertificated domains.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-onions/attachments/20160205/7edf7dc4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-onions/attachments/20160205/7edf7dc4/attachment.sig>

More information about the tor-onions mailing list