[prev in list] [next in list] [prev in thread] [next in thread]
List: https-everywhere
Subject: Re: [HTTPS-Everywhere] "darkweb everywhere" extension
From: Nick Semenkovich <nick () semenkovich ! com>
Date: 2014-11-03 16:53:58
Message-ID: CAJKgmrW5kuOxWLAe_3NVP3WCoy0pCdWu9E3Da6m=+8XUnzRdTA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
This is a great idea! Any thoughts on extending parts of this to Chrome?
I understand there are significant issues with Chrome & Tor, though I also
think making Tor more visible and accessible to end-users is a good goal.
Some options:
- Flashing the HTTPSe icon when a .onion site is available (or showing
another symbol, etc.)
- Allow one-click to tor2web (this has some broader implications ... I
worry users would think they were somehow anonymous using tor2web)
- Nick
[1]
https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-fingerprinting
On Mon, Nov 3, 2014 at 7:08 AM, Alex Xu <alex_y_xu@yahoo.ca> wrote:
> On 03/11/14 12:48 AM, yan wrote:
> > +tor-dev. tl;dr: Would be nice if there were an HTTP response header
> > that allows HTTPS servers to indicate their .onion domain names so that
> > HTTPS Everywhere can automatically redirect to the .onion version in the
> > future if the user chooses a "use THS when available" preference.
> >
> > I imagine the header semantics and processing would be similar to HSTS.
> > It would only be noted when sent over TLS and have the max-age and
> > include-subdomains fields.
> >
> > -yan
> >
> > yan wrote:
> >> Hi all,
> >>
> >> Some people have requested for the "Darkweb Everywhere" extension [1] to
> >> be integrated into HTTPS Everywhere. This is an extension for Tor
> >> Browser that redirects users to the Tor Hidden Service version of a
> >> website when possible.
> >>
> >> I'm supportive of the idea; however, I'm worried that since .onion
> >> domain names are usually unrelated to a site's regular domain name, a
> >> malicious ruleset would be hard to detect. AFAIK Darkweb Everywhere only
> >> defends against this by publishing a doc in their Github repo that cites
> >> evidence for each ruleset [2].
> >>
> >> What if, instead, we asked website owners to send an HTTP header that
> >> indicates the Tor Hidden Service version of their website? Then HTTPS
> >> Everywhere could cache the result (like HSTS) and redirect to the THS
> >> version automatically in the future if the user opts-in.
> >>
> >> If this is something that EFF/Tor would be willing to advocate for, I
> >> would be happy to draft a specification for the header syntax and
> >> intended UA behavior.
> >>
> >> Thanks,
> >> Yan
> >>
> >>
> >> [1] https://github.com/chris-barry/darkweb-everywhere/
> >> [2]
> >>
> https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md
> >> _______________________________________________
> >> HTTPS-Everywhere mailing list
> >> HTTPS-Everywhere@lists.eff.org
> >> https://lists.eff.org/mailman/listinfo/https-everywhere
> >>
> >
> > _______________________________________________
> > HTTPS-Everywhere mailing list
> > HTTPS-Everywhere@lists.eff.org
> > https://lists.eff.org/mailman/listinfo/https-everywhere
> >
>
> https://lists.torproject.org/pipermail/tor-talk/2014-May/032906.html
>
>
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere@lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
>
--
Nick Semenkovich
Laboratory of Dr. Jeffrey I. Gordon
Medical Scientist Training Program
School of Medicine
Washington University in St. Louis
https://nick.semenkovich.com/
[Attachment #5 (text/html)]
<div dir="ltr">This is a great idea! Any thoughts on extending parts of this to \
Chrome?<div><br></div><div>I understand there are significant issues with Chrome \
& Tor, though I also think making Tor more visible and accessible to end-users is \
a good goal.<br></div><div><br></div><div>Some options:</div><div>- Flashing the \
HTTPSe icon when a .onion site is available (or showing another symbol, \
etc.)</div><div>- Allow one-click to tor2web (this has some broader implications ... \
I worry users would think they were somehow anonymous using \
tor2web)</div><div><div><br></div><div>- Nick</div><div><br></div><div>[1] <a \
href="https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-fingerprin \
ting">https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-fingerprinting</a></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 3, 2014 at 7:08 AM, Alex \
Xu <span dir="ltr"><<a href="mailto:alex_y_xu@yahoo.ca" \
target="_blank">alex_y_xu@yahoo.ca</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div \
class=""><div class="h5">On 03/11/14 12:48 AM, yan wrote:<br> > +tor-dev. tl;dr: \
Would be nice if there were an HTTP response header<br> > that allows HTTPS \
servers to indicate their .onion domain names so that<br> > HTTPS Everywhere can \
automatically redirect to the .onion version in the<br> > future if the user \
chooses a "use THS when available" preference.<br> ><br>
> I imagine the header semantics and processing would be similar to HSTS.<br>
> It would only be noted when sent over TLS and have the max-age and<br>
> include-subdomains fields.<br>
><br>
> -yan<br>
><br>
> yan wrote:<br>
>> Hi all,<br>
>><br>
>> Some people have requested for the "Darkweb Everywhere" extension \
[1] to<br> >> be integrated into HTTPS Everywhere. This is an extension for \
Tor<br> >> Browser that redirects users to the Tor Hidden Service version of \
a<br> >> website when possible.<br>
>><br>
>> I'm supportive of the idea; however, I'm worried that since \
.onion<br> >> domain names are usually unrelated to a site's regular domain \
name, a<br> >> malicious ruleset would be hard to detect. AFAIK Darkweb \
Everywhere only<br> >> defends against this by publishing a doc in their Github \
repo that cites<br> >> evidence for each ruleset [2].<br>
>><br>
>> What if, instead, we asked website owners to send an HTTP header that<br>
>> indicates the Tor Hidden Service version of their website? Then HTTPS<br>
>> Everywhere could cache the result (like HSTS) and redirect to the THS<br>
>> version automatically in the future if the user opts-in.<br>
>><br>
>> If this is something that EFF/Tor would be willing to advocate for, I<br>
>> would be happy to draft a specification for the header syntax and<br>
>> intended UA behavior.<br>
>><br>
>> Thanks,<br>
>> Yan<br>
>><br>
>><br>
>> [1] <a href="https://github.com/chris-barry/darkweb-everywhere/" \
target="_blank">https://github.com/chris-barry/darkweb-everywhere/</a><br> >> \
[2]<br> >> <a href="https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md" \
target="_blank">https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md</a><br>
>> _______________________________________________<br>
>> HTTPS-Everywhere mailing list<br>
>> <a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>
>> <a href="https://lists.eff.org/mailman/listinfo/https-everywhere" \
target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br> \
>><br> ><br>
> _______________________________________________<br>
> HTTPS-Everywhere mailing list<br>
> <a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>
> <a href="https://lists.eff.org/mailman/listinfo/https-everywhere" \
target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br> \
><br> <br>
</div></div><a href="https://lists.torproject.org/pipermail/tor-talk/2014-May/032906.html" \
target="_blank">https://lists.torproject.org/pipermail/tor-talk/2014-May/032906.html</a><br>
<br>
<br>_______________________________________________<br>
HTTPS-Everywhere mailing list<br>
<a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>
<a href="https://lists.eff.org/mailman/listinfo/https-everywhere" \
target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br></blockquote></div><br><br \
clear="all"><div><br></div>-- <br><div class="gmail_signature">Nick \
Semenkovich<br>Laboratory of Dr. Jeffrey I. Gordon<br>Medical Scientist Training \
Program<br>School of Medicine<br>Washington University in St. Louis<br><a \
href="https://nick.semenkovich.com/" \
target="_blank">https://nick.semenkovich.com/</a></div> </div></div></div>
_______________________________________________
HTTPS-Everywhere mailing list
HTTPS-Everywhere@lists.eff.org
https://lists.eff.org/mailman/listinfo/https-everywhere
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic