[tor-talk] Using HTTPS Everywhere to redirect to .onion

Roger Dingledine arma at mit.edu
Fri Feb 28 01:25:49 UTC 2014


On Thu, Feb 27, 2014 at 05:06:08PM +0000, Kill Your TV wrote:
> 
> Since you're using Apache I think mod-rewrite would be a far better
> solution. After all, rewriting URLs is what it does. :)
> 
>      https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html

This approach would work somewhat, but it loses some nice security
properties (mainly authentication). In the https-everywhere case,
you never (try to) touch the main website -- which means you can't get
sent to the wrong place with dns forgery, and you can't get snookered
by somebody who broke into TurkTrust, got a valid SSL certificate for
the website, and is now pretending to be the website (and chooses not
to do the rewrite for you).

In general, making choices on the browser side is safer than leaving it
to the server to keep you safe.

That said, the question in my mind is how to move this from "if you're
very smart, you can write your own https-everywhere rule for yourself"
to "ordinary TBB users get this benefit". I don't really want to get
into the business of writing an /etc/hosts file for public website ->
hidden service mappings.

--Roger



More information about the tor-talk mailing list