[tor-project] [INFORMATION REQUEST] Onion Service Web Site Deployments
Matthew Finkel
sysrqb at torproject.org
Tue Jul 21 23:17:40 UTC 2020
On Tue, Jul 21, 2020 at 07:52:41PM +0200, Sebastian Hahn wrote:
>
>
> > On 21. Jul 2020, at 05:58, Matthew Finkel <sysrqb at torproject.org> wrote:
> > On Tue, Jul 21, 2020 at 01:47:40AM +0200, Sebastian Hahn wrote:
> >>
> >> If there were some sensible way to have https which terminates at their
> >> end while they don't have to operate a hidden service, I am pretty sure
> >> we could work something out and I would obviously go for it.
> >
> > I like Ian's example, if that is an option. I see that nginx supports
> > something similar, too. I can imagine a hacky socat solution, too (but a
> > reverse proxy is less of a ducktape-and-chewing-gum design).
>
> I also like Ian's suggestion, but it is not a fix. There's no end to end
> https between browser and webserver, users still need to trust me to not
> modify traffic. It only gets rid of the transport issue (which I don't
> worry about too much in this instance, tbh).
Yes, the "onion service-in-the-middle" design requires that someone
trust the onion service operator (either the client or the website
administrator).
In the future, maybe the website can use a SOOC [0] (TLS certificate)
with a binding for your onion service. If not, then solving this problem
will be difficult without the admin deploying their own onion service
and/or using a DV cert containing the .onion address.
[0] https://github.com/alecmuffett/onion-dv-certificate-proposal/blob/master/text/draft-muffett-same-origin-onion-certificates.txt
More information about the tor-project
mailing list