[tor-talk] Deploying Alt-Svc on your own website. Hello?
Alec Muffett
alec.muffett at gmail.com
Sat Sep 22 15:15:08 UTC 2018
On Sat, 22 Sep 2018, 16:07 Roman Mamedov, <rm at romanrm.net> wrote:
> There is no point in running HTTPS-over-Tor-hidden-service, as .onion
> traffic
> is already authenticated and encrypted, it only adds useless overhead.
I see your point, but there are a couple of additional perspectives to be
considered:
https://medium.com/@alecmuffett/onions-certs-browsers-a-three-way-mexican-standoff-7dc987b8ebc8
- especially regarding new functionality that will be locked to HTTPS
If
> there's no way around that with the alt-svc scheme, that seems like a huge
> oversight.
>
Respecting AltSvc on port 80 would be as dangerous, possibly more
dangerous, than cleartext HTTP already is; and regards the notion of making
"onion" into a widely respected secure source equivalent to a HTTPS site,
please see the above essay.
-a
More information about the tor-talk
mailing list