[tor-onions] Announcing Onion-Website with x-onion response-header?

Tom Ritter tom at ritter.vg
Sun Feb 7 13:00:18 UTC 2016


On 7 February 2016 at 05:10, Mirco Bauer <meebey at meebey.net> wrote:
> [Reply inline]
>
> Am 06.02.2016 3:43 nachm. schrieb "Martijn Grooten"
> <martijn at lapsedordinary.net>:
>>
>> On Thu, Feb 04, 2016 at 03:36:44PM +0000, Alec Muffett wrote:
>> > Perhaps only issuing the header to people who access from an exit node,
>> > might
>> > reduce that cost?
>>
>> Even so, and especially then, this sound like an easy way for someone
>> operating a rogue exit node to get persistent MitM on non-HTTPS sites.
>
> So accept this header just on https connections and all is well.

Agreed, this is how applying most security headers work (HSTS, HPKP).
Instead of defining a new header why not use Alt-Srv?  I'm not sure of
it's status, but it was explicitly made for advertising other methods
of contacting a service.

-tom


More information about the tor-onions mailing list