Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It is possible to advertise your .onion address and offer automatic redirect to it for Tor Browser users using the "Onion-Location" HTTP header. Example with my personal home page:

    $ curl -I https://pablo.rauzy.name/
    HTTP/1.1 200 OK
    Server: nginx/1.14.2
    Date: Thu, 10 Mar 2022 14:04:44 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 2843
    Last-Modified: Sun, 23 Jan 2022 22:21:41 GMT
    Connection: keep-alive
    Onion-Location: http://c2fk5i7jqn7am7nfo7eb7hwrkclyj3jj4qcwgdh6ievp7v5ie4gd3mid.onion/
It would be interesting to try to see if the Tor Browser has a TOFU policy and warn its user if the onion address change after they visited the site once.

If it is the case then you combine the ease of access of typing a normal domain name and the Onion security through an HSTS equivalent mechanism.



Is there some sort of attack possible here where you could hand out unique onion addresses to each visitor, so when they connect with Tor you could fingerprint their Tor connection and match it to their cleartext connection? *takes off his black hat*


No, since the redirect only works in the Tor Browser, in which case the cleartext connection is still a Tor connection.


Doing so you would only identify Tor exit nodes.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: