[tor-talk] darkweb-everywhere - was: Using HTTPS Everywhere to redirect to .onion

Patrick Schleizer adrelanos at riseup.net
Wed May 14 13:47:04 UTC 2014


Michael Wolf:
> On 5/14/2014 4:23 AM, Mike Cardwell wrote:
>> * on the Tue, May 13, 2014 at 08:51:28PM -0400, Michael Wolf wrote:
>>> I had an idea recently that might be an improvement (or might not?) on
>>> the darkweb-everywhere concept.  What if we introduced an HTTP header
>>> similar to HSTS -- `X-Onion-Address` perhaps -- which could be sent by
>>> sites that wished to advertise their .onion address?  Just like HSTS,
>>> the header would only be acted upon if received over HTTPS (we don't
>>> want malicious parties injecting headers and redirecting people).
>>> Future versions of TBB could perhaps automatically redirect users to the
>>> .onion site when this header is present, or perhaps prompt users to
>>> inform them of the hidden service.
>>
>> I would prefer it if the people who run websites with hidden service
>> alternatives would simply check if the client IP is a Tor exit node,
>> and then advertise the availability of the hidden service to such
>> users inside the actual website.
>>
>> This wouldn't be that difficult either. We have the Tor DNSEL, and
>> there are also a few Apache modules which allow you to perform DNSBL
>> style lookups on the client IP and perform different actions based on
>> the result, such as setting environment variables/headers etc.
>>
> 
> Adding a header is one line in an .htaccess file for Apache.  It's one
> line in a configuration file for nginx as well.  The instructions for
> telling people to add this header would be the same for every site using
> Apache/nginx, respectively.  'Simply check[ing] if the client IP is a
> Tor exit node, and then advertis[ing] the availability of the hidden
> service to such users' is not nearly as simple (definitely not a
> 'one-liner'), and would require a unique/custom solution for nearly
> every site.
> 
> Checking for exit node IP addresses can also fail.  Records are not
> always fresh, some exit nodes use a different IP address for incoming
> vs. outgoing traffic, and some users may be using a VPN after tor (even
> if it is a bad idea), giving a false negative.  The header has none of
> these problems.  The header is a simple advertisement that the site
> offers its content at an .onion domain.  The user agent (or plugin) is
> free to use or ignore this information as it pleases.  It's simple, it
> doesn't fail, and it doesn't require additional interaction with a third
> party (no DNS requests leaking who is connecting to a site...).

Good you mention it. Nonetheless, Mike Cardwell's is still of interest
to me.



More information about the tor-talk mailing list