Hello,
as you might know, the IETF recently decided to formally recognize .onion names as special-use domain names [0].
This means that normal browsers like Chrome and Firefox can now handle onion domains in a special manner since they know that they only correspond to Tor.
How would we like those browsers to treat onions?
For starters, those browsers should refuse to connect to onion domains entirely. Onions don't work on normal browsers anyway, and also this will reduce the onion leakage through the DNS system [1].
An extra measure would be to persuade those browser vendors to display some sort of message to poor people who click onions using their normal browser. For example they could display:
Oops, seems like you visited an onion link. You need a special anonymous browser for this: www.torproject.org
What else could we do here? And is there anyone who can lobby for the right behavior? :)
Of course, we all know that that inevitably those browsers will need to bundle Tor, if they want to visit the actually secure onion Internet. But let's give them a bit more time till they realize this :)
Cheers!
[0]: https://blog.torproject.org/blog/landmark-hidden-services-onion-names-reserv... https://www.rfc-editor.org/rfc/rfc7686.txt https://www.iana.org/assignments/special-use-domain-names/special-use-domain...
On Mon, Nov 02, 2015 at 09:05:26PM +0200, George Kadianakis wrote:
Hello,
as you might know, the IETF recently decided to formally recognize .onion names as special-use domain names [0].
This means that normal browsers like Chrome and Firefox can now handle onion domains in a special manner since they know that they only correspond to Tor.
How would we like those browsers to treat onions?
For starters, those browsers should refuse to connect to onion domains entirely. Onions don't work on normal browsers anyway, and also this will reduce the onion leakage through the DNS system [1].
Well, maybe not "entirely". Cf. below.
An extra measure would be to persuade those browser vendors to display some sort of message to poor people who click onions using their normal browser. For example they could display:
Oops, seems like you visited an onion link. You need a special anonymous browser for this: www.torproject.org
It might be a better idea to point them to tor2web. For one thing browser providers will be happier with a display that doesn't directly tell people they need a different browser to get to an intended address. The display could say something like:
Oops, seems like you attempted to visit an onion address, a specialized address that provides additional security for connections to it. The site can be reached via proxy at [tor2web-link-to-relevant-onionsite]. To obtain the intended security for access to such sites, follow <A HREF= "[link-to-page-w-brief-simple-explanation-n-prominent-link-to-download-TBB]"> these few simple steps</A> .
No doubt some wordsmithing could make this better in various respects (amongst them, shorter).
What else could we do here? And is there anyone who can lobby for the right behavior? :)
Of course, we all know that that inevitably those browsers will need to bundle Tor, if they want to visit the actually secure onion Internet. But let's give them a bit more time till they realize this :)
I think something like the above improves the transition path, helping the world along to better security instead of just waiting for the world to catch up. (And in any case, perhaps at least a few more months work would better prepare us for the resulting attention.)
aloha, Paul
Cheers!
https://www.rfc-editor.org/rfc/rfc7686.txt https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On Nov 2, 2015, at 20:39, Paul Syverson paul.syverson@nrl.navy.mil wrote:
On Mon, Nov 02, 2015 at 09:05:26PM +0200, George Kadianakis wrote:
Hello,
as you might know, the IETF recently decided to formally recognize .onion names as special-use domain names [0].
This means that normal browsers like Chrome and Firefox can now handle onion domains in a special manner since they know that they only correspond to Tor.
How would we like those browsers to treat onions?
For starters, those browsers should refuse to connect to onion domains entirely. Onions don't work on normal browsers anyway, and also this will reduce the onion leakage through the DNS system [1].
Well, maybe not "entirely". Cf. below.
Tangential aside: Chrome currently has a bug open in that it does not yet support onion certificates:
https://code.google.com/p/chromium/issues/detail?id=483614 https://code.google.com/p/chromium/issues/detail?id=483614
The Onion RFC lays a burden on DNS to NXDOMAIN onion lookups.
It says nothing about having browsers block them.
Perhaps the better thing for Tor adoption is - privacy purism enforced by TBB aside - to enable adoption.
Allow (encourage?) non-TBB browsers to be capable to using Onions.
Roger, after all, stood up movingly at the Aaron Swartz memorial and spoke of letting people pick the security that _they_ wanted, when connecting to a site.
This would, I feel, accord with that position.
- alec
ps:
It might be a better idea to point them to tor2web. For one thing browser providers will be happier with a display that doesn't directly tell people they need a different browser to get to an intended address.
Pointing people at tor2web would break SSL, but see this thread, which is a side-show to the larger "how can we get personal onion addresses" discussion: https://twitter.com/AlecMuffett/status/658440124624183296 https://twitter.com/AlecMuffett/status/658440124624183296
The display could say something like:
Oops, seems like you attempted to visit an onion address, a specialized address that provides additional security for connections to it. The site can be reached via proxy at [tor2web-link-to-relevant-onionsite]. To obtain the intended security for access to such sites, follow <A HREF= "[link-to-page-w-brief-simple-explanation-n-prominent-link-to-download-TBB]"> these few simple steps</A> .
No doubt some wordsmithing could make this better in various respects (amongst them, shorter).
Phishing-potential in such dialogues, here?
-a
What else could we do here? And is there anyone who can lobby for the right behavior? :)
Of course, we all know that that inevitably those browsers will need to bundle Tor, if they want to visit the actually secure onion Internet. But let's give them a bit more time till they realize this :)
I think something like the above improves the transition path, helping the world along to better security instead of just waiting for the world to catch up. (And in any case, perhaps at least a few more months work would better prepare us for the resulting attention.)
aloha, Paul
George Kadianakis:
Hello,
as you might know, the IETF recently decided to formally recognize .onion names as special-use domain names [0].
This means that normal browsers like Chrome and Firefox can now handle onion domains in a special manner since they know that they only correspond to Tor.
How would we like those browsers to treat onions?
mnot has some ideas: https://bugzilla.mozilla.org/show_bug.cgi?id=1228457 And I guess it is quite probable that commenting on that bug could shape how that feature will be implemented in Firefox. (bonus points for a patch ;) )
Georg
-
Alec Muffett -
Georg Koppen -
George Kadianakis -
Paul Syverson