[tor-project] [INFORMATION REQUEST] Onion Service Web Site Deployments

Matthew Finkel sysrqb at torproject.org
Mon Jul 20 22:44:06 UTC 2020 

(tl;dr: We'd like more information about how onion services are
deployed, and whether we should re-think about the current assumption
that connections with all onion services are secure. Do you send HTTP
(unencrypted/unauthenticated) traffic between the onion service and a
remote web server?)


Hello everyone,

Recently we received a question and concern regarding how Tor Browser
interacts with web sites over HTTP. Over the last few years, Tor Browser
has increasingly trusted HTTP connections with a .onion address
(HTTP+.onion) due to the inherent security properties of onion services.

The security assumptions Tor Browser makes about these connections is
based on another critical assumption: connections between the onion
service and the destination web server are "secure" [0]. This assumption
is correct when an onion service is run beside the web server and
connections between the two components are over localhost/loopback/etc.
However, onion services can connect to a remote web server instead, and
when the connection between those hosts/components is not secure then
Tor Browser's security assumption about the overall connection is wrong.
Let's call this latter configuration an "onion tunnel" (for lack of a
better term right now).

We are now aware some web sites are deploying onion tunnels where the
connection between the onion service and the web server is not secure.
As a result, we are considering reverting [1] a change of behavior in
Tor Browser where "secure cookies" may leak in plaintext under some
circumstances in an onion tunnel deployment.

Tor Browser treats connections with onion services as secure in other
ways, as well. We'd like more information about how onion services are
deployed, and whether we should re-think about the current assumption
that all .onion connections are secure.

Do you know of deployments where HTTP (unencrypted/unauthenticated)
traffic is sent between the onion service and a remote web server?

(Please email me privately if you feel more confortable with that.)

Thanks,
Matt

[0] In this context, let's say "secure" means a connection that provides
    unidirectional authenticity, and bidirectional integrity and
    confidentiality. TLS is the typical example, but onion services provide
    these properties, too.

[1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40033

More information about the tor-project mailing list