[prev in list] [next in list] [prev in thread] [next in thread] 

List:       https-everywhere
Subject:    Re: [HTTPS-Everywhere] "darkweb everywhere" extension
From:       Nick Semenkovich <nick () semenkovich ! com>
Date:       2014-11-03 16:53:58
Message-ID: CAJKgmrW5kuOxWLAe_3NVP3WCoy0pCdWu9E3Da6m=+8XUnzRdTA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


This is a great idea! Any thoughts on extending parts of this to Chrome?

I understand there are significant issues with Chrome & Tor, though I also
think making Tor more visible and accessible to end-users is a good goal.

Some options:
- Flashing the HTTPSe icon when a .onion site is available (or showing
another symbol, etc.)
- Allow one-click to tor2web (this has some broader implications ... I
worry users would think they were somehow anonymous using tor2web)

- Nick

[1]
https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-fingerprinting

On Mon, Nov 3, 2014 at 7:08 AM, Alex Xu <alex_y_xu@yahoo.ca> wrote:

> On 03/11/14 12:48 AM, yan wrote:
> > +tor-dev. tl;dr: Would be nice if there were an HTTP response header
> > that allows HTTPS servers to indicate their .onion domain names so that
> > HTTPS Everywhere can automatically redirect to the .onion version in the
> > future if the user chooses a "use THS when available" preference.
> >
> > I imagine the header semantics and processing would be similar to HSTS.
> > It would only be noted when sent over TLS and have the max-age and
> > include-subdomains fields.
> >
> > -yan
> >
> > yan wrote:
> >> Hi all,
> >>
> >> Some people have requested for the "Darkweb Everywhere" extension [1] to
> >> be integrated into HTTPS Everywhere. This is an extension for Tor
> >> Browser that redirects users to the Tor Hidden Service version of a
> >> website when possible.
> >>
> >> I'm supportive of the idea; however, I'm worried that since .onion
> >> domain names are usually unrelated to a site's regular domain name, a
> >> malicious ruleset would be hard to detect. AFAIK Darkweb Everywhere only
> >> defends against this by publishing a doc in their Github repo that cites
> >> evidence for each ruleset [2].
> >>
> >> What if, instead, we asked website owners to send an HTTP header that
> >> indicates the Tor Hidden Service version of their website? Then HTTPS
> >> Everywhere could cache the result (like HSTS) and redirect to the THS
> >> version automatically in the future if the user opts-in.
> >>
> >> If this is something that EFF/Tor would be willing to advocate for, I
> >> would be happy to draft a specification for the header syntax and
> >> intended UA behavior.
> >>
> >> Thanks,
> >> Yan
> >>
> >>
> >> [1] https://github.com/chris-barry/darkweb-everywhere/
> >> [2]
> >>
> https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md
> >> _______________________________________________
> >> HTTPS-Everywhere mailing list
> >> HTTPS-Everywhere@lists.eff.org
> >> https://lists.eff.org/mailman/listinfo/https-everywhere
> >>
> >
> > _______________________________________________
> > HTTPS-Everywhere mailing list
> > HTTPS-Everywhere@lists.eff.org
> > https://lists.eff.org/mailman/listinfo/https-everywhere
> >
>
> https://lists.torproject.org/pipermail/tor-talk/2014-May/032906.html
>
>
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere@lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
>



-- 
Nick Semenkovich
Laboratory of Dr. Jeffrey I. Gordon
Medical Scientist Training Program
School of Medicine
Washington University in St. Louis
https://nick.semenkovich.com/

[Attachment #5 (text/html)]

<div dir="ltr">This is a great idea! Any thoughts on extending parts of this to \
Chrome?<div><br></div><div>I understand there are significant issues with Chrome \
&amp; Tor, though I also think making Tor more visible and accessible to end-users is \
a good goal.<br></div><div><br></div><div>Some options:</div><div>- Flashing the \
HTTPSe icon when a .onion site is available (or showing another symbol, \
etc.)</div><div>- Allow one-click to tor2web (this has some broader implications ... \
I worry users would think they were somehow anonymous using \
tor2web)</div><div><div><br></div><div>- Nick</div><div><br></div><div>[1] <a \
href="https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-fingerprin \
ting">https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-fingerprinting</a></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 3, 2014 at 7:08 AM, Alex \
Xu <span dir="ltr">&lt;<a href="mailto:alex_y_xu@yahoo.ca" \
target="_blank">alex_y_xu@yahoo.ca</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div \
class=""><div class="h5">On 03/11/14 12:48 AM, yan wrote:<br> &gt; +tor-dev. tl;dr: \
Would be nice if there were an HTTP response header<br> &gt; that allows HTTPS \
servers to indicate their .onion domain names so that<br> &gt; HTTPS Everywhere can \
automatically redirect to the .onion version in the<br> &gt; future if the user \
chooses a &quot;use THS when available&quot; preference.<br> &gt;<br>
&gt; I imagine the header semantics and processing would be similar to HSTS.<br>
&gt; It would only be noted when sent over TLS and have the max-age and<br>
&gt; include-subdomains fields.<br>
&gt;<br>
&gt; -yan<br>
&gt;<br>
&gt; yan wrote:<br>
&gt;&gt; Hi all,<br>
&gt;&gt;<br>
&gt;&gt; Some people have requested for the &quot;Darkweb Everywhere&quot; extension \
[1] to<br> &gt;&gt; be integrated into HTTPS Everywhere. This is an extension for \
Tor<br> &gt;&gt; Browser that redirects users to the Tor Hidden Service version of \
a<br> &gt;&gt; website when possible.<br>
&gt;&gt;<br>
&gt;&gt; I&#39;m supportive of the idea; however, I&#39;m worried that since \
.onion<br> &gt;&gt; domain names are usually unrelated to a site&#39;s regular domain \
name, a<br> &gt;&gt; malicious ruleset would be hard to detect. AFAIK Darkweb \
Everywhere only<br> &gt;&gt; defends against this by publishing a doc in their Github \
repo that cites<br> &gt;&gt; evidence for each ruleset [2].<br>
&gt;&gt;<br>
&gt;&gt; What if, instead, we asked website owners to send an HTTP header that<br>
&gt;&gt; indicates the Tor Hidden Service version of their website? Then HTTPS<br>
&gt;&gt; Everywhere could cache the result (like HSTS) and redirect to the THS<br>
&gt;&gt; version automatically in the future if the user opts-in.<br>
&gt;&gt;<br>
&gt;&gt; If this is something that EFF/Tor would be willing to advocate for, I<br>
&gt;&gt; would be happy to draft a specification for the header syntax and<br>
&gt;&gt; intended UA behavior.<br>
&gt;&gt;<br>
&gt;&gt; Thanks,<br>
&gt;&gt; Yan<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; [1] <a href="https://github.com/chris-barry/darkweb-everywhere/" \
target="_blank">https://github.com/chris-barry/darkweb-everywhere/</a><br> &gt;&gt; \
[2]<br> &gt;&gt; <a href="https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md" \
target="_blank">https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md</a><br>
 &gt;&gt; _______________________________________________<br>
&gt;&gt; HTTPS-Everywhere mailing list<br>
&gt;&gt; <a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>
 &gt;&gt; <a href="https://lists.eff.org/mailman/listinfo/https-everywhere" \
target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br> \
&gt;&gt;<br> &gt;<br>
&gt; _______________________________________________<br>
&gt; HTTPS-Everywhere mailing list<br>
&gt; <a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>
 &gt; <a href="https://lists.eff.org/mailman/listinfo/https-everywhere" \
target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br> \
&gt;<br> <br>
</div></div><a href="https://lists.torproject.org/pipermail/tor-talk/2014-May/032906.html" \
target="_blank">https://lists.torproject.org/pipermail/tor-talk/2014-May/032906.html</a><br>
 <br>
<br>_______________________________________________<br>
HTTPS-Everywhere mailing list<br>
<a href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a><br>
 <a href="https://lists.eff.org/mailman/listinfo/https-everywhere" \
target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br></blockquote></div><br><br \
clear="all"><div><br></div>-- <br><div class="gmail_signature">Nick \
Semenkovich<br>Laboratory of Dr. Jeffrey I. Gordon<br>Medical Scientist Training \
Program<br>School of Medicine<br>Washington University in St. Louis<br><a \
href="https://nick.semenkovich.com/" \
target="_blank">https://nick.semenkovich.com/</a></div> </div></div></div>



_______________________________________________
HTTPS-Everywhere mailing list
HTTPS-Everywhere@lists.eff.org
https://lists.eff.org/mailman/listinfo/https-everywhere

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic