[tor-dev] UX improvement proposal: Onion auto-redirects using Alt-Svc HTTP header
George Kadianakis
desnacked at riseup.net
Wed Nov 15 10:09:44 UTC 2017
Tom Ritter <tom at ritter.vg> writes:
> I am a big proponent of websites advertising .onions in their Alt-Srv.
>
>> 4.2. No security/performance benefits
>>
>> While we could come up with auto-redirect proposals that provide security
>> and performance benefits, this proposal does not actually provide any of
>> those.
>>
>> As a matter of fact, the security remains the same as connecting to normal
>> websites (since we trust its HTTP headers), and the performance gets worse
>> since we first need to connect to the website, get its headers, and then
>> also connect to the onion.
>>
>> Still _all_ the website approaches mentioned in the "Motivation" section
>> suffer from the above drawbacks, and sysadmins still come up with ad-hoc
>> ways to inform users abou their onions. So this simple proposal will still
>> help those websites and also pave the way forward for future auto-redirect
>> techniques.
>
> I envision a future Onion Everywhere extension like HTTPS Everywhere
> that works similar to the HSTS preload list. Crawlers validate a
> websites intention to be in the Onion Everywhere extension, and we
> cache the Alt-Srv information so it is used on first load.
>
Yep, that's yet another cool way to do this.
>
>> 4.3. Alt-Svc does not do exactly what we want
>>
>> I read in a blog post [*] that using Alt-Svc header "doesn’t change the URL
>> in the location bar, document.location or any other indication of where the
>> resource is; this is a “layer below” the URL.". IIUC, this is not exactly
>> what we want because users will not notice the onion address, they will not
>> get the user education part of the proposal and their connection will still
>> be slowed down.
>>
>> I think we could perhaps change this in Tor Browser so that it rewrites the
>> onion address to make it clear to people that they are now surfing the
>> onionspace.
>>
>> [*]: https://www.mnot.net/blog/2016/03/09/alt-svc
>
>
> I am a big opponent of changing the semantics of Alt-Srv.
>
> We'd have to change the semantics to only do redirection for onion
> domains. We'd also have to figure out how to handle cases where the
> onion lives alongside non-onion (which takes precedence?) We'd also
> have to maintain and carry this patch ourselves because it's pretty
> antithetical to the very intent of the header and I doubt the
> networking team at Mozilla would be interested in maintaining it.
>
> Besides those issues, it also eliminates Alt-Srv as a working option
> to something *else* websites may want: to silently redirect users to
> their .onion _without_ the possibility of confusion for the user by
> changing the address bar. I think Alt-Srv is an option for partial
> petname support in TB.
>
> There is a perfectly functioning mechanism for redirecting users: the
> Location header. It does a lot of what you want: including temporary
> or persistent redirects, updating the addess bar. Obviously it doesn't
> work for all users, most don't know what .onion is, so Facebook isn't
> going to deploy a .onion Location redirect even if they attempted to
> detect TB users.
>
> But they could send a new Onion-Redirect header that is recognized and
> processed (with a notification bar) by any UA that supports Tor and
> wants to implement it. This header would have a viable path to uplift,
> support in extensions, and even standardization. Onion Everywhere can
> preload these headers too.
>
Agreed, the semantics of Alt-Svc are not what we want, and it's probably
not a good idea to change it from an engineering/policy perspective.
Establishing our own header, with the same semantics as Location, seems
to be a cleaner way to approach this.
When I find some time (hopefully this or next week) I will fix up the
proposal based on received feedback.
>
> On 14 November 2017 at 11:25, teor <teor2345 at gmail.com> wrote:
>>> 4. Drawbacks
>>
>> You missed the biggest one:
>>
>> If the onion site is down, the user will be redirected to the downed site.
>> (I've used onion site redirects with this issue, it's really annoying.)
>> Similarly, if a feature is broken on the onion site, the user will be
>> redirected to a site they can't use.
>>
>> Or if the user simply wants to use the non-onion site for some reason
>> (maybe they want a link they can share with their non-onion friends,
>> or maybe they don't want to reveal they're using Tor Browser).
>>
>> Users *must* have a way to disable the redirect on every redirect.
>
> Right now, I don't agree with this. (I reserve the right to change my
> mind.) Websites can already redirect users to broken links through
> mistakes. Why is "my onion site is not running" a scenario we want to
> code around but "my subdomain is not running" is not? If a website
> wants to redirect users they should be responsible enough to monitor
> the uptime of their onion domain and keep it running. Maybe we need
> better tooling for that, but that's different from saying we need to
> put the onus on users for webmasters failing to keep their sites
> running.
>
Agreed. As long as onion services provide a consistent service,
sysadmins should be responsible for maintaining the mapping and
availability of their services.
More information about the tor-dev
mailing list