-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hey y'all,
Copying this over from a reply I made to tor-talk (since I mentioned it over in the #tor-onions IRC channel).
Basically 1) confirming that alt-svc does seem to work consistently in newer TBB, and 2) a fun accident in sending a HTTP 302 to folks that get to the onion via alt-svc.
[...] In any case, I did a quick test on propublica.org *not* using cloudflare's built-in onion service feature (since we're running our own with our own EV cert anyway), and wanted to mention it here:
Set `alt-svc: h2="www.propub3r6espa33w.onion:443"; ma=300`, and looks like TBB (8.5a1) actually did silently switch over to using the onion for the connection. As above, there'd generally be no outward indication to the user that this has happened, except I'd actually configured the onion proxying bits (right now running nginx) to throw the browser a 302 redirect to the onion domain if the HTTP Host header isn't the onion domain. So, I'd inadvertently set this up to work where the user actually > does get fully redirected over to the onion.
(I've since taken off the alt-svc header, since that was just a quick test and I'll need to figure out if that's behavior we want in lieu of the TBB UI getting an explicit user interaction before moving to the alt-svc. But figured that's worth mentioning for folks who _do_ want to easily make a clearnet domain redir TBB to an onion domain.)
Anyway, that was a fun and awesome surprise. Perhaps should be obvious, but honestly I had no idea how the alt-svc behavior was going to work.
Hopefully this is helpful to others?
- -- Mike Tigas https://mike.tig.as/
Mike, have you observed the behavior I have seen, of it taking several refreshes for the onion to start being actually used, and in fact occasionally reverting back to clearweb for some fetches?
-a
On Sep 21, 2018, at 7:22 PM, Alec Muffett alec.muffett@gmail.com wrote:
Mike, have you observed the behavior I have seen, of it taking several refreshes for the onion to start being actually used, and in fact occasionally reverting back to clearweb for some fetches?
https://trac.torproject.org/projects/tor/ticket/27502#comment:2
On Sat, 22 Sep 2018, 00:26 Arlo Breault, arlo@torproject.org wrote:
https://trac.torproject.org/projects/tor/ticket/27502#comment:2
Awesome! Thanks, Arlo! Is there also a ticket open to work around Arthur's discover that Firefox Private Mode (and therefore TBB all the time) buries the surfacing of Alt-Used headers?
https://twitter.com/arthuredelstein/status/1042194259368013825
I've worked out a way to work around this somewhat with a custom webserver, but overall it's a pain in the arse.
Thanks!
-a
On Sat, 22 Sep 2018, 00:33 Alec Muffett, alec.muffett@gmail.com wrote:
Awesome! Thanks, Arlo! Is there also a ticket open to work around Arthur's discover that Firefox Private Mode (and therefore TBB all the time) buries the surfacing of Alt-Used headers?
Answering my own question: https://trac.torproject.org/projects/tor/ticket/27590 - although it lacks Arthur's insight.
- a
On Fri, Sep 21, 2018 at 7:22 PM Alec Muffett alec.muffett@gmail.com wrote:
Mike, have you observed the behavior I have seen, of it taking several refreshes for the onion to start being actually used, and in fact occasionally reverting back to clearweb for some fetches?
I didn't, but my testing was relatively limited (and my little discovery meant that only the first request was ever going to the clearnet site anyway, before the browser agent was fully redirected over to the onion, in the address bar and everything).
Did have the web developer panel open and had set Disable Caches — was having some issues before that, which I think were _maybe_ because of some client-facing Cache-Control headers that I'd set.
tor-onions@lists.torproject.org
-
Alec Muffett -
Arlo Breault -
Mike Tigas