On 2015-07-06 10:39, Jacob Hoffman-Andrews wrote:
Ideally onion services would use HTTPS since the security guarantees of
.onion are lower than modern HTTPS standards. However, I think for many
onion services, getting a CA-validated certificate is not an option.
I would accept a pull request to allow .onion addresses when "Block all
HTTP requests" is enabled. But please make sure it only allows them when
using Tor. It's an edge case, but someone with compromised DNS could be
convinced that a .onion name exists on the cleartext Internet and
convinced to visit it in spite of the block.
How would one verify that the user is "using Tor"?
Tor doesn't necessarily happen as part of the browser or even local
machine and anyone in a position to MITM enough to fake a .onion TLD
could probably mimic whatever test you use to verify whether Tor is
active (or otherwise proxy everything through to Tor proper, except for
whatever evil they're doing)
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
_______________________________________________
HTTPS-Everywhere mailing list
[email protected]
https://lists.eff.org/mailman/listinfo/https-everywhere
