mirror of
https://github.com/alecmuffett/real-world-onion-sites.git
synced 2024-12-25 07:09:26 -05:00
commit: better framing
This commit is contained in:
parent
dd5b3b2e34
commit
68ab4bbec4
@ -42,19 +42,25 @@ Mouse-over the icons for details of HTTP codes, curl exit statuses, and the numb
|
||||
|
||||
### TLS Security
|
||||
|
||||
Due to the fundamental protocol differences between `HTTP` and
|
||||
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
|
||||
as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are
|
||||
fundamentally more secure than HTTP - e.g.:
|
||||
|
||||
- with respect to cookie handling, or
|
||||
- where the trusted connection terminates, or
|
||||
- how to deal with loading embedded insecure content
|
||||
|
||||
...and the necessity of broad adherence to web standards would make it
|
||||
harmful to attempt to optimise just one browser (e.g. Tor Browser) to
|
||||
elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP,
|
||||
let alone HTTPS-over-Onion.
|
||||
|
||||
**tl;dr** - HTTP-over-Onion should not be considered as secure as
|
||||
HTTPS-over-Onion, and attempting to force it thusly will create a
|
||||
future compatibility mess for the ecosystem of onion-capable browsers.
|
||||
|
||||
- :wrench: semi-secure HTTP Onion site, protected by Onion circuits at
|
||||
best; will not respect browser secure/HTTPS behaviour
|
||||
- :closed_lock_with_key: secure HTTPS Onion site, protected by both
|
||||
Onion circuits and TLS, will respect browser secure/HTTPS behaviour
|
||||
- Due to the fundamental protocol differences between `HTTP` and
|
||||
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
|
||||
as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are
|
||||
fundamentally more secure than HTTP - e.g.: with respect to cookie
|
||||
handling, where the trusted connection terminates, or in loading
|
||||
insecure content - and the necessity of broad adherence to web
|
||||
standards would make it harmful to attempt to optimise just one
|
||||
browser (Tor Browser) to elevate HTTP-over-Onion to the same levels
|
||||
of trust as HTTPS-over-TCP, let alone HTTPS-over-Onion.
|
||||
- tl;dr - HTTP-over-Onion is not as secure as HTTPS-over-Onion, and
|
||||
attempting to force it to be so will create a compatibility mess for
|
||||
the ecosystem of onion-capable browsers.
|
||||
|
30
README.md
30
README.md
@ -42,22 +42,28 @@ Mouse-over the icons for details of HTTP codes, curl exit statuses, and the numb
|
||||
|
||||
### TLS Security
|
||||
|
||||
Due to the fundamental protocol differences between `HTTP` and
|
||||
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
|
||||
as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are
|
||||
fundamentally more secure than HTTP - e.g.:
|
||||
|
||||
- with respect to cookie handling, or
|
||||
- where the trusted connection terminates, or
|
||||
- how to deal with loading embedded insecure content
|
||||
|
||||
...and the necessity of broad adherence to web standards would make it
|
||||
harmful to attempt to optimise just one browser (e.g. Tor Browser) to
|
||||
elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP,
|
||||
let alone HTTPS-over-Onion.
|
||||
|
||||
**tl;dr** - HTTP-over-Onion should not be considered as secure as
|
||||
HTTPS-over-Onion, and attempting to force it thusly will create a
|
||||
future compatibility mess for the ecosystem of onion-capable browsers.
|
||||
|
||||
- :wrench: semi-secure HTTP Onion site, protected by Onion circuits at
|
||||
best; will not respect browser secure/HTTPS behaviour
|
||||
- :closed_lock_with_key: secure HTTPS Onion site, protected by both
|
||||
Onion circuits and TLS, will respect browser secure/HTTPS behaviour
|
||||
- Due to the fundamental protocol differences between `HTTP` and
|
||||
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
|
||||
as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are
|
||||
fundamentally more secure than HTTP - e.g.: with respect to cookie
|
||||
handling, where the trusted connection terminates, or in loading
|
||||
insecure content - and the necessity of broad adherence to web
|
||||
standards would make it harmful to attempt to optimise just one
|
||||
browser (Tor Browser) to elevate HTTP-over-Onion to the same levels
|
||||
of trust as HTTPS-over-TCP, let alone HTTPS-over-Onion.
|
||||
- tl;dr - HTTP-over-Onion is not as secure as HTTPS-over-Onion, and
|
||||
attempting to force it to be so will create a compatibility mess for
|
||||
the ecosystem of onion-capable browsers.
|
||||
|
||||
----
|
||||
# Index
|
||||
|
Loading…
Reference in New Issue
Block a user