> On Nov 2, 2015, at 20:39, Paul Syverson <[email protected]> wrote: > > On Mon, Nov 02, 2015 at 09:05:26PM +0200, George Kadianakis wrote: >> Hello, >> >> as you might know, the IETF recently decided to formally recognize .onion >> names >> as special-use domain names [0]. >> >> This means that normal browsers like Chrome and Firefox can now >> handle onion domains in a special manner since they know that they >> only correspond to Tor. >> >> How would we like those browsers to treat onions? >> >> For starters, those browsers should refuse to connect to onion >> domains entirely. Onions don't work on normal browsers anyway, and >> also this will reduce the onion leakage through the DNS system [1]. > > Well, maybe not "entirely". Cf. below.
Tangential aside: Chrome currently has a bug open in that it does not yet support onion certificates: https://code.google.com/p/chromium/issues/detail?id=483614 <https://code.google.com/p/chromium/issues/detail?id=483614> The Onion RFC lays a burden on DNS to NXDOMAIN onion lookups. It says nothing about having browsers block them. Perhaps the better thing for Tor adoption is - privacy purism enforced by TBB aside - to enable adoption. Allow (encourage?) non-TBB browsers to be capable to using Onions. Roger, after all, stood up movingly at the Aaron Swartz memorial and spoke of letting people pick the security that _they_ wanted, when connecting to a site. This would, I feel, accord with that position. - alec ps: > It might be a better idea to point them to tor2web. For one thing > browser providers will be happier with a display that doesn't directly > tell people they need a different browser to get to an intended > address. Pointing people at tor2web would break SSL, but see this thread, which is a side-show to the larger "how can we get personal onion addresses" discussion: https://twitter.com/AlecMuffett/status/658440124624183296 <https://twitter.com/AlecMuffett/status/658440124624183296> > The display could say something like: > > Oops, seems like you attempted to visit an onion address, a > specialized address that provides additional security for > connections to it. The site can be reached via proxy at > [tor2web-link-to-relevant-onionsite]. To obtain the intended > security for access to such sites, follow <A HREF= > "[link-to-page-w-brief-simple-explanation-n-prominent-link-to-download-TBB]"> > these few simple steps</A> . > > No doubt some wordsmithing could make this better in various respects > (amongst them, shorter). Phishing-potential in such dialogues, here? -a > >> >> >> What else could we do here? And is there anyone who can lobby for the right >> behavior? :) >> >> Of course, we all know that that inevitably those browsers will need >> to bundle Tor, if they want to visit the actually secure onion >> Internet. But let's give them a bit more time till they realize this >> :) > > I think something like the above improves the transition path, helping > the world along to better security instead of just waiting for the > world to catch up. (And in any case, perhaps at least a few more > months work would better prepare us for the resulting attention.) > > aloha, > Paul >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
