From 38cb477491979225098f2331c20e51bc4d3ae39a Mon Sep 17 00:00:00 2001 From: Alec Muffett Date: Thu, 5 Dec 2019 16:44:14 +0000 Subject: [PATCH] commit: nits2 --- 01-preamble.md | 11 ++++++++--- README.md | 11 ++++++++--- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/01-preamble.md b/01-preamble.md index 5302927..ebb5743 100644 --- a/01-preamble.md +++ b/01-preamble.md @@ -44,12 +44,12 @@ Mouse-over the icons for details of HTTP codes, curl exit statuses, and the numb Due to the fundamental protocol differences between `HTTP` and `HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure -as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are -fundamentally more secure than HTTP, e.g.: +as HTTPS"; web browsers **do** and **must** treat HTTPS in ways that +are fundamentally more secure than HTTP, e.g.: - with respect to cookie handling, or - where the trusted connection terminates, or -- how to deal with loading embedded insecure content +- how to deal with loading embedded insecure content, or - whether to permit access to camera and microphone devices (WebRTC) ...and the necessity of broad adherence to web standards would make it @@ -57,6 +57,11 @@ harmful to attempt to optimise just one browser (e.g. Tor Browser) to elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP, let alone HTTPS-over-Onion. +Doubtless some browsers will *attempt* to implement +"better-than-default trust and security via HTTP over onions", but +this behaviour will not be standard, cannot be relied upon by +clients/users, and will therefore be **risky**. + **tl;dr** - HTTP-over-Onion should not be considered as secure as HTTPS-over-Onion, and attempting to force it thusly will create a future compatibility mess for the ecosystem of onion-capable browsers. diff --git a/README.md b/README.md index 8edb5c8..065a6ac 100644 --- a/README.md +++ b/README.md @@ -44,12 +44,12 @@ Mouse-over the icons for details of HTTP codes, curl exit statuses, and the numb Due to the fundamental protocol differences between `HTTP` and `HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure -as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are -fundamentally more secure than HTTP, e.g.: +as HTTPS"; web browsers **do** and **must** treat HTTPS in ways that +are fundamentally more secure than HTTP, e.g.: - with respect to cookie handling, or - where the trusted connection terminates, or -- how to deal with loading embedded insecure content +- how to deal with loading embedded insecure content, or - whether to permit access to camera and microphone devices (WebRTC) ...and the necessity of broad adherence to web standards would make it @@ -57,6 +57,11 @@ harmful to attempt to optimise just one browser (e.g. Tor Browser) to elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP, let alone HTTPS-over-Onion. +Doubtless some browsers will *attempt* to implement +"better-than-default trust and security via HTTP over onions", but +this behaviour will not be standard, cannot be relied upon by +clients/users, and will therefore be **risky**. + **tl;dr** - HTTP-over-Onion should not be considered as secure as HTTPS-over-Onion, and attempting to force it thusly will create a future compatibility mess for the ecosystem of onion-capable browsers.