News:

"Omnis enim res quæ dando non deficit, dum habetur et non datur, nondum habetur quomodo habenda est." ("For a possession which is not diminished by being shared with others, if it is possessed and not shared, is not yet possessed as it ought to be possessed.") —St. Augustine, De doctrina Christiana lib. 1 cap. 1

Main Menu

Tor onion addresses

Started by Geremia, March 10, 2021, 02:30:51 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Geremia


Luke

Fantastic! By the way, using HTTPS with .onion domains is somewhat redundant as Tor hidden service ensures confidentiality and integrity. In fact, unless you get a HTTPS certificate for the .onion domain users will get a warning (which they do now -- "This server could not prove that it is upvikiwfmgcywauk.onion; its security certificate is from isidore.co. This may be caused by a misconfiguration or an attacker intercepting your connection. Proceed to upvikiwfmgcywauk.onion (unsafe)"). While Let's Encrypt support is forthcoming, AFAIK the only issuer for .onion certificates is the (paid) DigiCert :(

Geremia

Quote from: Luke on May 18, 2021, 11:06:40 AMusing HTTPS with .onion domains is somewhat redundant
Sure, but my ISP blocks incoming port 80. isidore.co has no HTTP protocol; it's only HTTPS.

Luke

Connections to Hidden Services (".onion" domains) are routed through the Tor network, so they bypass ISP restrictions. For example, your web server could listen to 80 on localhost (so not even be reachable over the internet even if your ISP lifted that restriction), yet be exposed over the .onion.


In fact, for hidden services not available over the regular web, it is the recommended option: "You need to configure your web server so it doesn't give away any information about you, your computer, or your location. Be sure to bind the web server only to localhost (if people could get to it directly, they could confirm that your computer is the one offering the onion service). Be sure that its error messages don't list your hostname or other hints."

Of course, different for things like Facebook or St. Isidore's Library which have public-web versions as well :-)

Geremia

#4
Quote from: Luke on May 18, 2021, 01:50:36 PMyour web server could listen to 80 on localhost (so not even be reachable over the internet even if your ISP lifted that restriction), yet be exposed over the .onion.
Test if the onion domains use HTTP now.

I just now discovered Firefox's "dom.security.https_only_mode" and "dom.security.https_only_mode.upgrade_onion" options. It seems they're anticipating HTTPS onion in the future. Interesting.

Luke

Quote from: Geremia on May 18, 2021, 02:36:57 PMTest if the onion domains use HTTP now.
Both are working now! Thank you so much!

Quote from: Geremia on May 18, 2021, 02:36:57 PMInterestingly, I just now discovered Firefox's "dom.security.https_only_mode" and "dom.security.https_only_mode.upgrade_onion" options. It seems they're anticipating HTTPS onion in the future.
Ohhh, nice! .onion phishing is very real, and maybe HTTPS EV certificates could help there!

Geremia

#6