[tor-bugs] #24728 [Webpages/Website]: [Security] Deny access to all tpo onion sites if request sent from Tor2Web services
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Dec 24 00:47:14 UTC 2017
#24728: [Security] Deny access to all tpo onion sites if request sent from Tor2Web
services
----------------------------------+--------------------
Reporter: cypherpunks | Owner: (none)
Type: task | Status: new
Priority: Medium | Milestone:
Component: Webpages/Website | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
----------------------------------+--------------------
Such as https://ea5faa5po25cf7fb[.]onion[.]best/
if ($http_x_tor2web) { return 403; }
Useful info:
> Actual header:
https://github.com/globaleaks/Tor2web/commit/552eedd12942911675365d0c5d8b06b964b8e0b0
> (Info)Why T2W is bad:
https://www.bentasker.co.uk/blog/security/346-don-t-use-web2tor
> (Client)Remove T2W domain from request: https://addons.mozilla.org/en-
US/firefox/addon/healthyonions/
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24728>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list