Michael Wolf: > On 5/14/2014 4:23 AM, Mike Cardwell wrote: >> * on the Tue, May 13, 2014 at 08:51:28PM -0400, Michael Wolf wrote: >>> I had an idea recently that might be an improvement (or might not?) on >>> the darkweb-everywhere concept. What if we introduced an HTTP header >>> similar to HSTS -- `X-Onion-Address` perhaps -- which could be sent by >>> sites that wished to advertise their .onion address? Just like HSTS, >>> the header would only be acted upon if received over HTTPS (we don't >>> want malicious parties injecting headers and redirecting people). >>> Future versions of TBB could perhaps automatically redirect users to the >>> .onion site when this header is present, or perhaps prompt users to >>> inform them of the hidden service. >> >> I would prefer it if the people who run websites with hidden service >> alternatives would simply check if the client IP is a Tor exit node, >> and then advertise the availability of the hidden service to such >> users inside the actual website. >> >> This wouldn't be that difficult either. We have the Tor DNSEL, and >> there are also a few Apache modules which allow you to perform DNSBL >> style lookups on the client IP and perform different actions based on >> the result, such as setting environment variables/headers etc. >> > > Adding a header is one line in an .htaccess file for Apache. It's one > line in a configuration file for nginx as well. The instructions for > telling people to add this header would be the same for every site using > Apache/nginx, respectively. 'Simply check[ing] if the client IP is a > Tor exit node, and then advertis[ing] the availability of the hidden > service to such users' is not nearly as simple (definitely not a > 'one-liner'), and would require a unique/custom solution for nearly > every site. > > Checking for exit node IP addresses can also fail. Records are not > always fresh, some exit nodes use a different IP address for incoming > vs. outgoing traffic, and some users may be using a VPN after tor (even > if it is a bad idea), giving a false negative. The header has none of > these problems. The header is a simple advertisement that the site > offers its content at an .onion domain. The user agent (or plugin) is > free to use or ignore this information as it pleases. It's simple, it > doesn't fail, and it doesn't require additional interaction with a third > party (no DNS requests leaking who is connecting to a site...).
Good you mention it. Nonetheless, Mike Cardwell's is still of interest to me. -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
