On Sat, Sep 22, 2018 at 4:07 PM, Roman Mamedov <r...@romanrm.net> wrote:
> > Also, do you mean there's no way to have an Alt-Svc with "[...].onion:80", > directing to a plain HTTP connection to the hidden service? (Assuming the > initial request to the clearnet site was on HTTPS.) > > Correct. It has to go to HTTPS because the cert served by the new origin is used as a mechanism to authenticate that it is actually authorised to act as an origin. The primary aim being to ensure that if I (somehow) manage to inject an Alt-Svc header into your responses, I cannot simply redirect users via my service _unless_ I can also obtain a valid certificate for your original name. > There is no point in running HTTPS-over-Tor-hidden-service, as .onion traffic is already authenticated and encrypted, it only adds useless overhead See above. Without HTTPS the onion service is authenticated as being that onion service, but is absolutely not authorised as an authorised origin for www.example.com. It's not an oversight, it's a deliberate rational design decision to help prevent various attacks that would otherwise be possible. > What to use in case of 1.1? I've not checked Browser support for downgrading to 1.1, but the Alt-Svc header expects a RFC7301 ALPN name - so the name here would be http/1.1. However, you also need to percent encode (RFC 7838 section 3), so it'd be http%2F1.1 I should add - depending on the browser you *may* find you need to only inject the header when the user is coming from a Tor exit. Otherwise direct clearnet users might try and connect out. It *shouldn't* happen (the RFC makes it very clear that alt services are optional, and should be used when the alt origin becomes available - "the client SHOULD use that alternative service for all requests to the associated origin as soon as it is available"). But as with anything, plan for the dumbest user-agent you could possibly imagine. -- Ben Tasker https://www.bentasker.co.uk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
