On 2015-07-06 15:42, yan wrote:
On 7/6/15 3:35 PM, Dave Warren wrote:
On 2015-07-06 10:39, Jacob Hoffman-Andrews wrote:
Ideally onion services would use HTTPS since the security guarantees of
.onion are lower than modern HTTPS standards. However, I think for many
onion services, getting a CA-validated certificate is not an option.
I would accept a pull request to allow .onion addresses when "Block all
HTTP requests" is enabled. But please make sure it only allows them
when
using Tor. It's an edge case, but someone with compromised DNS could be
convinced that a .onion name exists on the cleartext Internet and
convinced to visit it in spite of the block.
How would one verify that the user is "using Tor"?
Presmably using the SSL Observatory routine of making a request to
check.torproject.org. A MITM can't fake a positive response since it's
TLS only (and key pinned, i think).
I agree with Jacob that Onion services without TLS don't have nearly
the same security level as proper HTTPS, but am in favor of letting
.onion domains go through in "Block HTTP" mode.
What good would that do? Were I writing network level malware trying to
fake a .onion site, I'd just pass traffic going to check.torproject.org
through (via Tor or not, whatever is the expected behaviour here? I'd
guess "Route it via Tor") unmangled.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
_______________________________________________
HTTPS-Everywhere mailing list
[email protected]
https://lists.eff.org/mailman/listinfo/https-everywhere
