On 07/02/2015 06:54 PM, Drake, Brian wrote: > I love “Block all HTTP requests”. But from a technical point of view, > it’s silly that it also blocks onion services. I think the non-inclusion of onion addresses is not necessarily intentional. > Having said that, a while ago, on the Tor blog, I read about the issue > of onion services using HTTPS, and I think it said there was some > disagreement about this. You might say that it’s silly, or that it’s > almost necessary (so we can train non-security-expert users to demand > HTTPS all the time). Any thoughts about this? Ideally onion services would use HTTPS since the security guarantees of .onion are lower than modern HTTPS standards. However, I think for many onion services, getting a CA-validated certificate is not an option.
I would accept a pull request to allow .onion addresses when "Block all HTTP requests" is enabled. But please make sure it only allows them when using Tor. It's an edge case, but someone with compromised DNS could be convinced that a .onion name exists on the cleartext Internet and convinced to visit it in spite of the block. _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
