On Mon, Mar 22, 2021 at 06:06:04PM +0100, Nicolas Vigier wrote: > On Mon, 22 Mar 2021, qorg11 wrote: > > > The "Onion available" does not appear in a plain http version of a > > website. But it does appear in the https version. I checked and my > > website does have the onion-location header in the plain http > > version. But tor browser doesn't show the button. Is this intended > > behaviour? I've attatched some screenshots. > > It is intended behaviour: > https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/100-onion-location-header.txt > > "The webpage defining the Onion-Location header must be served over > HTTPS." >
To expand a little bit on this: It's an instance of the general problem of unencrypted content. If you attempt to connect to http://example.com, over Tor, any malicious party who can intercept that connection once it leaves Tor's encryption (such as the exit relay if it is malicious) could send you a fake version of example.com with an "onion available" and a link to whatever onion address they own. So you would end up at a fake onion address for example.com. Worse, for subsequent visits to example.com, as long as your browser keeps track of the decision, they don't even have to hijack the connection to get you to go to the fake onion address for example.com, your browser will automatically connect to the fake onion address when it sees a request to visit example.com. But if onion location is limited to https connections, then to do this attack they would also have to hijack the certificate that says this encrypted connection is really to example.com, which is harder and exposes more risk of detection than the above. We have things in the works to make it harder still (TLS hijack is not enough), but I hope that helps. Si Vales, Valeo, Paul -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
