[tor-onions] TBB 8 alt-svc and redirecting alt-svc'd users to navigate via the .onion

[Mike Tigas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hey y'all,

Copying this over from a reply I made to tor-talk (since I mentioned
it over in the #tor-onions IRC channel).

Basically 1) confirming that alt-svc does seem to work consistently in
newer TBB, and 2) a fun accident in sending a HTTP 302 to folks that
get to the onion via alt-svc.

> [...]
> In any case, I did a quick test on propublica.org *not* using cloudflare's built-in onion service feature (since we're running our own with our own EV cert anyway), and wanted to mention it here:
>
> Set `alt-svc: h2="www.propub3r6espa33w.onion:443"; ma=300`, and looks like TBB (8.5a1) actually did silently switch over to using the onion for the connection. As above, there'd generally be no outward indication to the user that this has happened, except I'd actually configured the onion proxying bits (right now running nginx) to throw the browser a 302 redirect to the onion domain if the HTTP Host header isn't the onion domain. So, I'd inadvertently set this up to work where the user actually > does get fully redirected over to the onion.
>
> (I've since taken off the alt-svc header, since that was just a quick test and I'll need to figure out if that's behavior we want in lieu of the TBB UI getting an explicit user interaction before moving to the alt-svc. But figured that's worth mentioning for folks who _do_ want to easily make a clearnet domain redir TBB to an onion domain.)
>
> [1]: https://trac.torproject.org/projects/tor/ticket/27590
> [2]: https://trac.torproject.org/projects/tor/attachment/ticket/21952/21952.png

Anyway, that was a fun and awesome surprise. Perhaps should be
obvious, but honestly I had no idea how the alt-svc behavior was going
to work.

Hopefully this is helpful to others?

- --
Mike Tigas
https://mike.tig.as/
-----BEGIN PGP SIGNATURE-----
Comment: https://mike.tig.as/pgp/
Comment: http://tigas3l7uusztiqu.onion/pgp/

iQIzBAEBCgAdFiEEGzfVMu3Uhpsce8OaFLh4upXaaEoFAluley0ACgkQFLh4upXa
aEp25g//ZvfORMnDMc4kf0OicTYRsv0mJUA/QS7GAqtpNX4Su5iqQWRYN8yE80iU
a3u06z+V1lVCLW5GKjGdPZjcxtAaRmq+fezR9ScUhxIg+BdeApQHUpYgf7DABZtL
ImYNx8dO3gkFjbmA0P6Cpxzf5Fl8nYMuyH40LivlufWERapYX9r6YKTR0o0zmkzj
06A9E7wPGeJxnbD+pc8XxSdtCJhxFRGVqoT9MqnRkiMTRU1Dh2Fbriyaqx1iHj/H
CjCGIE3A9WmGdUKlRgcJzMFoRz/GXLnxGzEjT3eOu56BA3CY/ShYyUMmUf3ILj0s
8L5UHs7zlzSWFpfqO7kYrm0IJForS32DxtsQHGcVyz6Hi+UHBHoWob+1caukWX4G
CI7sC+rw//M3iGxJddRUYHTNh8ZJSpglDAP0mBd3qBCTvBHTDuqBopfLr4/Vs3MY
DKTYmjT+vp2HeXu3gT7S8E+aF40WmFNmQLBvnxqb0PclbhRxXhd+5UxAfzv6EW0L
oZgL4vQzuEjV4j15vozqlojTInIlrpLdWAmx0xAhRfQIdjSHlWWXhkKdGIl12H76
wswRkBi2LHBzPANx7VkMT7FItF7+Hcw5MwEsZ8NJV7P6mWZ8CtT8fUJaPLAAYaBX
q0UELMhkXQi6XoX7M8WRfY/d8R71fNUgzJTUNffktE3yBpxdliWIuAQBEwoAHRYh
BOk8LVk3LzcQmzAuvZFvvD/f12DEBQJbpXstAAoJEJFvvD/f12DE4fkCCM54+/b8
Z3qI9XBUC2iNgjaFuVYd8IgS0ikl5xLMePJTZVp1FxrNhBmqd0G8JwhRxOq6PNWf
tPH7VLpv1jtPX/AGAgkBqemkYIZnEGujCdQuiYjyHDsiWofIjcycX3ei593IDMXp
NqdrFz2/auLeZYHBPKaH5ts4Vj+xIAW4Zk0DBafmQfM=
=XpLQ
-----END PGP SIGNATURE-----