On 5/13/2014 9:32 PM, Mirimir wrote: > On 05/13/2014 06:51 PM, Michael Wolf wrote: >> I had an idea recently that might be an improvement (or might not?) on >> the darkweb-everywhere concept. What if we introduced an HTTP header >> similar to HSTS -- `X-Onion-Address` perhaps -- which could be sent by >> sites that wished to advertise their .onion address? Just like HSTS, >> the header would only be acted upon if received over HTTPS (we don't >> want malicious parties injecting headers and redirecting people). >> Future versions of TBB could perhaps automatically redirect users to the >> .onion site when this header is present, or perhaps prompt users to >> inform them of the hidden service. >> >> -- Mike > > If I'm going to use <https://344c6kbnjnljjzlz.onion>, I'd rather not be > redirected from <https://vfemail.net>. It's a small risk, but wouldn't > it be better to get onion addresses from some trusted site via HTTPS?
You don't trust vfemail.net to give you their proper .onion address over https? Why would you trust a third party more? It may be a matter of preference, but I feel the opposite about it. I consider "some trusted site" to be a single point of failure, a desirable target to be exploited, and unnecessary overhead. Who would manage the site? How would you get your site listed? How do you ensure that people don't list .onion sites for clearnet sites that they don't control? It seems like a lot of additional effort compared to adding one line in an .htaccess file. I just don't see any benefit at all of having a third party handle this. -- Mike -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
