> > To get all the ways in which web browsers threat https differently > from http: mixed content warnings, cookie policies etc. pp. > Browsers won't special-case .onion as 'like https', and should not > because whether they actually are depends on things outside the > browser. >
I suggest torproxy could generate a random CA certificate when its installed and transparently convert all http to https, generating the required SSL certificates on-the-fly and signing them with the random CA certificate. The user would then have to add the random CA certificate to their browser, or better yet, this could somehow be automated for the Tor Browser. One open question with this scheme is whether torproxy would also need to rewrite html content to change http urls to https. Alternately, the Tor Project could ask Mozilla and other browsers developers to add a switch for "treat .onion as secure". Or maybe it could be "treat .onion as secure but only if certain conditions hold, such as the proxy is running on the localhost and a to-be-determined status query of the proxy succeeds". -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
