[tor-dev] [HTTPS-Everywhere] "darkweb everywhere" extension

teor teor2345 at gmail.com
Mon Nov 3 15:29:51 UTC 2014


Hi All,

A "privacy everywhere" solution could have two components:
1. the  HSTS-like "always open this site in .onion" policy already discussed; and
2. an AppLinks or AppLinks-like[1] header that specifies a preferred app and/or URL for Tor, I2P, namecoin, …

The first handles the situation where you're already in the Tor browser, I2P, namecoin, and simply wish to pin the .onion etc. URL for that site.

The second handles the situation where you're browsing the web in your standard browser, but want to switch to a .onion site in the Tor browser if one is available (or the equivalent namecoin or I2P action). AppLinks is mainly designed for mobile platforms, but has Windows schemes as well.

I could imagine schemes like:
al:onion:url                https://facebookcorewwwi.onion
al:onion:attribute      value

al:namecoin:url               https://...
al:namecoin:attribute      value

al:i2p:url                https://...
al:i2p:attribute      value

What do you think?
I wonder if this is helpful, or could just end up being out of scope, duplicating effort, or abusing the AppLinks protocol design (which is focused on an app per platform, not multiple options for alternate URLs).

T


[1]: http://applinks.org/documentation/#applinknavigationprotocol

teor
pgp 0xABFED1AC
hkp://pgp.mit.edu/
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5
http://0bin.net/paste/Mu92kPyphK0bqmbA#Zvt3gzMrSCAwDN6GKsUk7Q8G-eG+Y+BLpe7wtmU66Mx

> On 3 Nov 2014, at 23:00, tor-dev-request at lists.torproject.org wrote:
> Date: Mon, 03 Nov 2014 00:12:53 -0600
> From: Jeremy Rand <biolizard89 at gmail.com>
> To: tor-dev at lists.torproject.org,  https-everywhere
>    <https-everywhere at lists.eff.org>, namecoin at googlegroups.com
> Subject: Re: [tor-dev] [HTTPS-Everywhere] "darkweb everywhere"
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Yan,
> 
> Namecoin would definitely be interested in something similar (we were
> actually discussing the possibility of exactly this yesterday).  Maybe
> we could produce a list of relevant projects that would benefit from
> this?  (The three that come to mind immediately are Tor, I2P, and
> Namecoin, but there may be others.)  If there are more than a few
> projects that would benefit, then it might be interesting to find a
> neutral format for the HTTP header, so that we wouldn't have to list
> all the supported TLD's explicitly in the spec.
> 
> (CCing to Namecoin dev list.)
> 
> - -Jeremy Rand
> Lead Application Engineer, Namecoin Project
> 
>> On 11/02/2014 11:48 PM, yan wrote:
>> +tor-dev. tl;dr: Would be nice if there were an HTTP response
>> header that allows HTTPS servers to indicate their .onion domain
>> names so that HTTPS Everywhere can automatically redirect to the
>> .onion version in the future if the user chooses a "use THS when
>> available" preference.
>> 
>> I imagine the header semantics and processing would be similar to
>> HSTS. It would only be noted when sent over TLS and have the
>> max-age and include-subdomains fields.
>> 
>> -yan
>> 
>> yan wrote:
>>> Hi all,
>>> 
>>> Some people have requested for the "Darkweb Everywhere" extension
>>> [1] to be integrated into HTTPS Everywhere. This is an extension
>>> for Tor Browser that redirects users to the Tor Hidden Service
>>> version of a website when possible.
>>> 
>>> I'm supportive of the idea; however, I'm worried that since
>>> .onion domain names are usually unrelated to a site's regular
>>> domain name, a malicious ruleset would be hard to detect. AFAIK
>>> Darkweb Everywhere only defends against this by publishing a doc
>>> in their Github repo that cites evidence for each ruleset [2].
>>> 
>>> What if, instead, we asked website owners to send an HTTP header
>>> that indicates the Tor Hidden Service version of their website?
>>> Then HTTPS Everywhere could cache the result (like HSTS) and
>>> redirect to the THS version automatically in the future if the
>>> user opts-in.
>>> 
>>> If this is something that EFF/Tor would be willing to advocate
>>> for, I would be happy to draft a specification for the header
>>> syntax and intended UA behavior.
>>> 
>>> Thanks, Yan
>>> 
>>> 
>>> [1] https://github.com/chris-barry/darkweb-everywhere/ [2] 
>>> https://github.com/chris-barry/darkweb-everywhere/blob/master/doc/EVIDENCE.md
> _______________________________________________
>>> HTTPS-Everywhere mailing list HTTPS-Everywhere at lists.eff.org 
>>> https://lists.eff.org/mailman/listinfo/https-everywhere
>> 
>> _______________________________________________ tor-dev mailing
>> list tor-dev at lists.torproject.org 
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQEcBAEBAgAGBQJUVxzXAAoJEFgMI9bDV/9qY3UIAJrl5LI/1OHJngu1W9DsLAjr
> nh+Csnm66z5tQTwiwva1Tb4b6trHv4KkHItaTm0cI44mQNsd+YEkh0oRBTSNNcRm
> HY0BDn2pqTlQPN9bWvclGEtCacevCbaQiZgPpxPa+1crtavto4VAnv0/EI85QVAe
> XHUNBeAHmB3qNATXsVJ61oksWlU/x8ao62fB13cUd2fVyaasWz4PPsAJ9n3TkdYG
> /el7mAuM6XdA1fFaGFd1ta0jRuER2VgKQvJQctu/6a/9jiNlib3YmMOOxvF0WR+/
> foUdhFkNCmRWwxqnxFDiKM0ilRLjTQ47CYRkgkqD4azPlkNvUULbO3KhaWPB9/4=
> =rUsH
> -----END PGP SIGNATURE-----
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20141104/65935881/attachment.html>


More information about the tor-dev mailing list