Happy Friday!

Obligatory Onion tip: if you are running a public/onion hybrid site, you probably want to block Tor2web.

This may sound weird ("zomg block!") but since you are already on both networks then there is risk and isn't much benefit to being accessible via Tor2web.

We actually worked with Fabio/naif from Tor2web to achieve this, to keep people safer: https://github.com/globaleaks/Tor2web/issues/162 https://github.com/globaleaks/Tor2web/issues/162

The block is simple: deny (with a helpful message) Onion requests which contain a 'X-Tor2web' header; see the SecureDrop discussion at https://github.com/freedomofpress/securedrop/issues/43 https://github.com/freedomofpress/securedrop/issues/43 for more context.

Whether your message issues or offers a redirect link is a matter of taste. We chose not to.

The block is reinforced by those sites which are able to obtain an EV Onion certificate, which hampers use from uncertificated domains.

-a