[tor-talk] torpoxy support for forced https
allenpmd at gmail.com
Wed Dec 16 14:23:35 UTC 2015
> To get all the ways in which web browsers threat https differently
> from http: mixed content warnings, cookie policies etc. pp.
> Browsers won't special-case .onion as 'like https', and should not
> because whether they actually are depends on things outside the
I suggest torproxy could generate a random CA certificate when its
installed and transparently convert all http to https, generating the
required SSL certificates on-the-fly and signing them with the random CA
certificate. The user would then have to add the random CA certificate to
their browser, or better yet, this could somehow be automated for the Tor
Browser. One open question with this scheme is whether torproxy would also
need to rewrite html content to change http urls to https.
Alternately, the Tor Project could ask Mozilla and other browsers
developers to add a switch for "treat .onion as secure". Or maybe it could
be "treat .onion as secure but only if certain conditions hold, such as the
proxy is running on the localhost and a to-be-determined status query of
the proxy succeeds".
More information about the tor-talk