[tor-talk] Using HTTPS Everywhere to redirect to .onion
Gerardus Hendricks
konfkukor at riseup.net
Fri Feb 28 17:13:48 UTC 2014
On 2/28/14 2:25 AM, Roger Dingledine wrote:
> I don't really want to get
> into the business of writing an /etc/hosts file for public website ->
> hidden service mappings.
Maybe an option to avoid that would be to do something along the lines
of HSTS. A Tor-Transport-Security header, that would specify the hidden
service that corresponds to the clearnet website being reached, only
when reaching the clearnet website over authenticated TLS.
After receiving such a header, the TBB would refuse to load the clearnet
website, and instead reach the .onion site for the specified max-age.
The .onion site would (have the authority to) update the max-age too.
If would change browser behavior based on past user behavior, which
allows for (some limited?) fingerprinting attacks.
Also, like with HSTS, you are still trusting the TLS PKI for the first
connection if you don't preload the list. Though, without this you would
need to trust the TLS PKI anyway, so there is not much to lose.
Regards,
Gerard
More information about the tor-talk
mailing list