On Mon, Nov 02, 2015 at 09:05:26PM +0200, George Kadianakis wrote:
Hello,
as you might know, the IETF recently decided to formally recognize .onion names as special-use domain names [0].
This means that normal browsers like Chrome and Firefox can now handle onion domains in a special manner since they know that they only correspond to Tor.
How would we like those browsers to treat onions?
For starters, those browsers should refuse to connect to onion domains entirely. Onions don't work on normal browsers anyway, and also this will reduce the onion leakage through the DNS system [1].
Well, maybe not "entirely". Cf. below.
An extra measure would be to persuade those browser vendors to display some sort of message to poor people who click onions using their normal browser. For example they could display:
Oops, seems like you visited an onion link. You need a special anonymous browser for this: www.torproject.org
It might be a better idea to point them to tor2web. For one thing browser providers will be happier with a display that doesn't directly tell people they need a different browser to get to an intended address. The display could say something like:
Oops, seems like you attempted to visit an onion address, a specialized address that provides additional security for connections to it. The site can be reached via proxy at [tor2web-link-to-relevant-onionsite]. To obtain the intended security for access to such sites, follow <A HREF= "[link-to-page-w-brief-simple-explanation-n-prominent-link-to-download-TBB]"> these few simple steps</A> .
No doubt some wordsmithing could make this better in various respects (amongst them, shorter).
What else could we do here? And is there anyone who can lobby for the right behavior? :)
Of course, we all know that that inevitably those browsers will need to bundle Tor, if they want to visit the actually secure onion Internet. But let's give them a bit more time till they realize this :)
I think something like the above improves the transition path, helping the world along to better security instead of just waiting for the world to catch up. (And in any case, perhaps at least a few more months work would better prepare us for the resulting attention.)
aloha, Paul
Cheers!
https://www.rfc-editor.org/rfc/rfc7686.txt https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev