New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add HTTP Onion-Location header to inform browsers about the onion service #2847
Comments
@alecmuffett @jonaharagon: Within @globaleaks we are considering using alt-svc and onion-location headers (#2846, #2847). I just read your previous articles on the topic and i would like to know your advice: https://write.privacytools.io/jonah/securing-services-with-tor-and-alt-svc Currently GlobaLeaks can run both a Tor Onion Service V3 and a HTTPS on a regular website and we are implementing a serverside detection about users reaching the site via an exit-node to redirect users to the onion service. I would like to get your opinion on:
Do you have any feedback? What are your advises to implement it all properly and which are the side effects that you identify? Thank you! |
|
Thank you @jonaharagon ! |
For the moment we have opted for keeping the serverside redirect based on the ip of the client and we have implemented as the Onion-Location header. We have considered instead to not implement the Alt-Svc header due to undefined policies of choice expecially for onion services. In fact in our use case the onion service would have to be preferred and the user forcefully redirected to it, while in the Tor browser it seems that the browser is randomly picking one of the alternatives with the effect that sometimes the browser continues to use the HTTPS alternative instead of the ionion services. |
No, but the CAB Forum finally decided to allow DV .onion certificates, so they technically are allowed to for the first time. Who knows when they actually will offer them, but I’m sure they will eventually now that they have the option. |
(Hello GL team, let me know if you need any help or internal info about onions here). |
Thank you @asn-d6 ! welcome here! Actually your imput would be definitely helpful you advice on which is the preference that TBB is going to give to the different headers (Onion-Location/Alt-svc) and which are your recommendations of use in the context of globaleaks. |
Hello Giovanni, WRT what you should use for globaleaks, I think it's up to whether you prefer. If you want the onion address destination to be visible and the user to be informed of this redirection, then you should use onion-location, otherwise you should use alt-svc. Also, Let's Encrypt certificates for onions will be kinda late because of limited bandwidth from the LE team wrt this problem. (Also, feel free to CC me in any other tickets that need atttention from Tor people) |
Thank you. Yes we are interested in knowing the I found that alt-svc is badly defined and works well only for aspects of load balancing like analyzed by @alecmuffett but actually in relation to security priority is not well defined (by order of alternatives? by security of the alternatives, etc) For this reason at the current moment we implemented only onion-location preferring explicit redirect as you say and we use it exaclty like a Location header by redirecting to the home page of the app. p.s. thank you for your support it is really really appreciated and i will for sure take the chance to tag you on other relevant tickets. |
So in principle Did that answer your question? If you meant the priority of different |
The Tor browser supports a non standard HTTP header that enables a server to advise browsers about the existence an an onion service corresponding to a regular HTTPS resource.
This could be used in order to inform browsers about the existence of the onion service and implement automatic redirection with the best support offered by the Tor Browser.
https://trac.torproject.org/projects/tor/ticket/27502
https://trac.torproject.org/projects/tor/ticket/32256
The text was updated successfully, but these errors were encountered: