#27513 closed enhancement (duplicate)

Add-on for redirecting users to onion site

Reported by: cyberpunks Owned by: legind
Priority: Low Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Is it possible to have an add-on that redirect users to onion sites when possible? For examples, a user visiting https://www.qubes-os.org/ will get redirected to http://sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/.

My initial thought is that we can simply extend https-everywhere to allow this behavior. Also, it would be important to allow users to customize their redirection list since it would be hard to maintain an up-to-date list ourselves. Of course, we also need to warn the users not to blindly trust any list available on the web.

Child Tickets

Change History (10)

comment:1 Changed 13 months ago by legind

It is not always clear that a user would rather access the onion service for a given site rather than the clearnet site. Onion services have in the past suffered from problems that the clearnet sites lacked. In Facebook's case, certain videos would fail to load due to improper onion CDN configurations and the like. Also, accessing onion sites on TB can be slower than the clearnet alternatives.

I think giving users the option to redirect to onion sites is the right path: perhaps an option within HTTPS Everywhere or TB that, when explicitly allowed, forwards a site to the onion URL. This can be advertised by the HTTPS version of a site via the HTTP Alternative Service header, for instance. (https://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-14)

There is the additional problem of discovery and maintenance of such rulesets within HTTPS Everywhere. What if an onion service needs to do a key rotation? How is that communicated to the ruleset maintainers? This can be tricky business.

Note that with the addition of update channels in HTTPS Everywhere (https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md) it is now possible for some entity (say, the Tor Project) to publish rulesets for HTTPS Everywhere that allows users to opt in to being automatically forwarded to the onion-service equivalent of a site.

comment:2 Changed 13 months ago by traumschule

came across https://searxes.danwin1210.me lately, it links healthy.onion. needs some testing though.

comment:3 Changed 13 months ago by cypherpunks3

https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor
Having healthy.onion since last year, it's good.
Unlike HTTPSEverywhere this add-on does not connect to remote server to update the list.

comment:4 Changed 13 months ago by legind

Uh, I'm pretty sure it does though. It's called addons.mozilla.org.

Last edited 13 months ago by legind (previous) (diff)

comment:5 in reply to:  4 Changed 13 months ago by cypherpunks3

Replying to legind:

Uh, I'm pretty sure it does though. It's called addons.mozilla.org.

"Self-hosted add-on" does not connect to addons.mozilla.org.

comment:6 Changed 13 months ago by cypherpunks3

By the way your HTTPS Everywhere add-on shipped with "Auto-update ruleses" enabled
by default and you clearly didn't notify the user about automatic connection.

What do you think about this?

comment:7 Changed 13 months ago by cypherpunks3

I'm sure I didn't give a consent to access https://www.https-rulesets.org/ in background.

comment:8 Changed 13 months ago by legind

You also didn't give consent to access eff.org for HTTPS Everywhere extension updates, or addons.mozilla.org for NoScript extension updates, but that's what Tor Browser has been doing for the better part of a decade. It's one of the ways that we are able to ship quick fixes if vulnerabilities are found, or updates to the coverage for HTTPS sites. In fact, rolling HTTPS Everywhere ruleset updates improves the anonymity guarantees of the Tor Browser by ensuring that you can't be fingerprinted by clever techniques that differentiate your version of the HTTPS Everywhere rulesets from everyone elses.

"Self-hosted add-on" in your case means that it updates instead from the server of some random person with no established credibility, which is laughable. I don't think that's any better than addons.mozilla.org. At best, it's a misleading statement.

HTTPS Everywhere is developed by the EFF in collaboration with the Tor Project. You're already trusting the Tor Project for updates to the Tor Browser. Fetching these rulesets from https://www.https-rulesets.org/ allows users to ensure comprehensive HTTPS coverage, and isn't comparable to an extension that forces onion service connections despite user preference.

Custom ruleset channels in HTTPS Everywhere also allow users to limit a ruleset update channel by scope. So if a user subscribes to an auto-redirection channel, they can enter the regex http://[^/]+\.tor/ to ensure that it only acts on the .tor pseudo-TLD.

comment:9 Changed 13 months ago by legind

(The above .tor pseudo-TLD is an example from gk's https://blog.torproject.org/cooking-onions-names-your-onions.)

comment:10 Changed 12 months ago by traumschule

Resolution: duplicate
Status: newclosed

Reviewing #26581 i think this is a duplicate. Also the "having an add-on" part is solved. Thanks!

Note: See TracTickets for help on using tickets.