[tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion

Michael Wolf mikewolf at riseup.net
Wed May 14 11:32:49 UTC 2014


On 5/13/2014 9:21 PM, Asa Rossoff wrote:
> On May 14, 2014 00:51 UTC, Michael Wolf wrote:
>> I had an idea recently that might be an improvement (or might not?) on
>> the darkweb-everywhere concept.  What if we introduced an HTTP header
>> similar to HSTS -- `X-Onion-Address` perhaps -- which could be sent by
>> sites that wished to advertise their .onion address?  Just like HSTS,
>> the header would only be acted upon if received over HTTPS (we don't
>> want malicious parties injecting headers and redirecting people).
>> Future versions of TBB could perhaps automatically redirect users to the
>> .onion site when this header is present, or perhaps prompt users to
>> inform them of the hidden service.
> 
<snip>
> 
> One potential bad thing is correlating your initial request with the onion
> URL request you are redirected to, especially for third-party content on a
> website (from URLs not in the address bar), e.g. advertising and tracking
> images, cookies, and scripts.  The header could be ignored for those too as
> a matter of policy as well, though.  But even first-party redircects will
> potentially give the site operator any information they garnered from your
> initial connection, and maybe malicious exits could conspire to be involved
> in hosting websites and further profile you.

I thought about that -- but I don't think much is at risk.  The browser
would receive the header on its first request to the site, before it
received any links to advertising or loaded additional resources from
third parties.  If the browser immediately drops the connection and
opens a new connection to the .onion site, what has anyone learned that
they didn't already know?  The target site saw a connection from an exit
node, and then a connection to the hidden service, so it can assume that
this is the same person... but how is that any worse than you continuing
to connect to them over clearnet?  The third parties never see a
connection until after the page has loaded from the .onion domain, so
there's no contamination there.  Am I missing something?

> The header should definitely be ignored if the browser made any direct
> connection to the site (non-Tor), as that could directly expose your
> original IP to the hidden service and any other data profiled, although this
> is a non-issue in a correctly configured TBB.  Just a warning for any other
> browsers/parties who try to implement the feature.

Agreed.  The redirect probably shouldn't be automatic anyway, unless the
user specifically configures it that way with an user preference
somewhere.  A once-per-session prompt with a "Don't ask me again"
checkbox would be nice.

-- Mike



More information about the tor-talk mailing list