On May 14, 2014 11:33 UTC, Michael Wolf Wrote: > On 5/13/2014 9:21 PM, Asa Rossoff wrote: >> On May 14, 2014 00:51 UTC, Michael Wolf wrote: >>> I had an idea recently that might be an improvement (or might not?) on >>> the darkweb-everywhere concept. What if we introduced an HTTP header >>> similar to HSTS -- `X-Onion-Address` perhaps -- which could be sent by >>> sites that wished to advertise their .onion address? Just like HSTS, >>> the header would only be acted upon if received over HTTPS (we don't >>> want malicious parties injecting headers and redirecting people). >>> Future versions of TBB could perhaps automatically redirect users to the >>> .onion site when this header is present, or perhaps prompt users to >>> inform them of the hidden service. >> > <snip> >> >> One potential bad thing is correlating your initial request with the onion >> URL request you are redirected to, especially for third-party content on a >> website (from URLs not in the address bar), e.g. advertising and tracking >> images, cookies, and scripts. The header could be ignored for those too as >> a matter of policy as well, though. But even first-party redircects will >> potentially give the site operator any information they garnered from your >> initial connection, and maybe malicious exits could conspire to be involved >> in hosting websites and further profile you. > > I thought about that -- but I don't think much is at risk. The browser > would receive the header on its first request to the site, before it > received any links to advertising or loaded additional resources from > third parties. If the browser immediately drops the connection and > opens a new connection to the .onion site, what has anyone learned that > they didn't already know? The target site saw a connection from an exit > node, and then a connection to the hidden service, so it can assume that > this is the same person... but how is that any worse than you continuing > to connect to them over clearnet? The third parties never see a > connection until after the page has loaded from the .onion domain, so > there's no contamination there. Am I missing something?
Consider your scenario with one change: the first-party clearnet host does not implement the X-Onion-Address header, but third-party embedded hosts aiming to profile and track user activities do. Any cookies or custom URLs or other means that they manage to use to track you, even if only during a browser session, might be linked to both clearnet and onion activity more easily, creating a cross-TLD profile (Of course, maybe I'm missing something obvious and default configurations might already allow this by simply allowing embedding .onions in clearnet and vice-versa?). If the user provides identifying credentials or other data somewhere, it may be more readily used to build a cross-session profile that covers more user activity. There are so many ways to leak identifying information. I'm not entirely sure of the significance of this observation, to be honest, but I hope someone else has a better handle on it than me :). It's possible that it does not pose a new risk and I'm mistaken. I like the proposal as a good current-tech step for a trusted source of clearnet/onion association. It seems better than a single third-party database. A real problem even if you trusted the content of third-party database is that if it were very large, it would have to be queried by everyone as much as the DNS system, and the database provider could profiling information. Another alternative would be a DNS record, maybe something like a CNAME record.. an ONAME, or something else, to be used if possible. IF you have a trusted DNS record (DNSSEC has its issues but should be as trustworthy as SSL identity, as I understand it), this "ONAME" redirect would not be able to be customized on a per-user basis, unlike a server header, and the DNS records might also carry a lower risk of being hijacked/manipulated by a malicious entity unrelated to the host than the host server itself. URLs might still contain or point to identifying data, but I think it would prevent a web host from easily redirecting different users to different onion hosts. I think the onion:clearnet domain names would have a 1:1 relationship assuming DNSSEC and something like an ONAME record, and so that routing information would be better secured by DNS with DNSSEC. A low-level routing/DNS-level solution would also work for non-HTTP connections, another possible advantage. On the con side, I guess an onion host could not advertise it's clearnet address in a similar way, but that seems like a less useful function anyway. > >> The header should definitely be ignored if the browser made any direct >> connection to the site (non-Tor), as that could directly expose your >> original IP to the hidden service and any other data profiled, although this >> is a non-issue in a correctly configured TBB. Just a warning for any other >> browsers/parties who try to implement the feature. > > Agreed. The redirect probably shouldn't be automatic anyway, unless the > user specifically configures it that way with an user preference > somewhere. A once-per-session prompt with a "Don't ask me again" > checkbox would be nice. > > -- Mike Asa -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
