[tor-talk] torpoxy support for forced https
kattitov at yandex.com
Thu Dec 24 11:41:12 UTC 2015
> I suggest torproxy could generate a random CA certificate when its
> installed and transparently convert all http to https, generating the
> required SSL certificates on-the-fly and signing them with the random
> CA certificate. The user would then have to add the random CA
> certificate to their browser, or better yet, this could somehow be
> automated for the Tor Browser. One open question with this scheme is
> whether torproxy would also need to rewrite html content to change
> http urls to https.
This is similar to a method which oppressive governments use to monitor
their users. Not something that Tor should be involved in.
> Alternately, the Tor Project could ask Mozilla and other browsers
> developers to add a switch for "treat .onion as secure". Or maybe it
> could be "treat .onion as secure but only if certain conditions hold,
> such as the proxy is running on the localhost and a to-be-determined
> status query of the proxy succeeds".
.onion sites already are secure. I think what you are looking for is a
way to to signal to the user that HTTPS is not required for .onion
sites. I'd lean towards just using HTTPS because that means there is no
further education to be performed. Let's Encrypt could help here.
More information about the tor-talk