mirror of
https://github.com/alecmuffett/real-world-onion-sites.git
synced 2025-01-13 16:19:33 -05:00
commit: better framing
This commit is contained in:
parent
dd5b3b2e34
commit
68ab4bbec4
@ -42,19 +42,25 @@ Mouse-over the icons for details of HTTP codes, curl exit statuses, and the numb
|
|||||||
|
|
||||||
### TLS Security
|
### TLS Security
|
||||||
|
|
||||||
|
Due to the fundamental protocol differences between `HTTP` and
|
||||||
|
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
|
||||||
|
as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are
|
||||||
|
fundamentally more secure than HTTP - e.g.:
|
||||||
|
|
||||||
|
- with respect to cookie handling, or
|
||||||
|
- where the trusted connection terminates, or
|
||||||
|
- how to deal with loading embedded insecure content
|
||||||
|
|
||||||
|
...and the necessity of broad adherence to web standards would make it
|
||||||
|
harmful to attempt to optimise just one browser (e.g. Tor Browser) to
|
||||||
|
elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP,
|
||||||
|
let alone HTTPS-over-Onion.
|
||||||
|
|
||||||
|
**tl;dr** - HTTP-over-Onion should not be considered as secure as
|
||||||
|
HTTPS-over-Onion, and attempting to force it thusly will create a
|
||||||
|
future compatibility mess for the ecosystem of onion-capable browsers.
|
||||||
|
|
||||||
- :wrench: semi-secure HTTP Onion site, protected by Onion circuits at
|
- :wrench: semi-secure HTTP Onion site, protected by Onion circuits at
|
||||||
best; will not respect browser secure/HTTPS behaviour
|
best; will not respect browser secure/HTTPS behaviour
|
||||||
- :closed_lock_with_key: secure HTTPS Onion site, protected by both
|
- :closed_lock_with_key: secure HTTPS Onion site, protected by both
|
||||||
Onion circuits and TLS, will respect browser secure/HTTPS behaviour
|
Onion circuits and TLS, will respect browser secure/HTTPS behaviour
|
||||||
- Due to the fundamental protocol differences between `HTTP` and
|
|
||||||
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
|
|
||||||
as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are
|
|
||||||
fundamentally more secure than HTTP - e.g.: with respect to cookie
|
|
||||||
handling, where the trusted connection terminates, or in loading
|
|
||||||
insecure content - and the necessity of broad adherence to web
|
|
||||||
standards would make it harmful to attempt to optimise just one
|
|
||||||
browser (Tor Browser) to elevate HTTP-over-Onion to the same levels
|
|
||||||
of trust as HTTPS-over-TCP, let alone HTTPS-over-Onion.
|
|
||||||
- tl;dr - HTTP-over-Onion is not as secure as HTTPS-over-Onion, and
|
|
||||||
attempting to force it to be so will create a compatibility mess for
|
|
||||||
the ecosystem of onion-capable browsers.
|
|
||||||
|
30
README.md
30
README.md
@ -42,22 +42,28 @@ Mouse-over the icons for details of HTTP codes, curl exit statuses, and the numb
|
|||||||
|
|
||||||
### TLS Security
|
### TLS Security
|
||||||
|
|
||||||
|
Due to the fundamental protocol differences between `HTTP` and
|
||||||
|
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
|
||||||
|
as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are
|
||||||
|
fundamentally more secure than HTTP - e.g.:
|
||||||
|
|
||||||
|
- with respect to cookie handling, or
|
||||||
|
- where the trusted connection terminates, or
|
||||||
|
- how to deal with loading embedded insecure content
|
||||||
|
|
||||||
|
...and the necessity of broad adherence to web standards would make it
|
||||||
|
harmful to attempt to optimise just one browser (e.g. Tor Browser) to
|
||||||
|
elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP,
|
||||||
|
let alone HTTPS-over-Onion.
|
||||||
|
|
||||||
|
**tl;dr** - HTTP-over-Onion should not be considered as secure as
|
||||||
|
HTTPS-over-Onion, and attempting to force it thusly will create a
|
||||||
|
future compatibility mess for the ecosystem of onion-capable browsers.
|
||||||
|
|
||||||
- :wrench: semi-secure HTTP Onion site, protected by Onion circuits at
|
- :wrench: semi-secure HTTP Onion site, protected by Onion circuits at
|
||||||
best; will not respect browser secure/HTTPS behaviour
|
best; will not respect browser secure/HTTPS behaviour
|
||||||
- :closed_lock_with_key: secure HTTPS Onion site, protected by both
|
- :closed_lock_with_key: secure HTTPS Onion site, protected by both
|
||||||
Onion circuits and TLS, will respect browser secure/HTTPS behaviour
|
Onion circuits and TLS, will respect browser secure/HTTPS behaviour
|
||||||
- Due to the fundamental protocol differences between `HTTP` and
|
|
||||||
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
|
|
||||||
as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are
|
|
||||||
fundamentally more secure than HTTP - e.g.: with respect to cookie
|
|
||||||
handling, where the trusted connection terminates, or in loading
|
|
||||||
insecure content - and the necessity of broad adherence to web
|
|
||||||
standards would make it harmful to attempt to optimise just one
|
|
||||||
browser (Tor Browser) to elevate HTTP-over-Onion to the same levels
|
|
||||||
of trust as HTTPS-over-TCP, let alone HTTPS-over-Onion.
|
|
||||||
- tl;dr - HTTP-over-Onion is not as secure as HTTPS-over-Onion, and
|
|
||||||
attempting to force it to be so will create a compatibility mess for
|
|
||||||
the ecosystem of onion-capable browsers.
|
|
||||||
|
|
||||||
----
|
----
|
||||||
# Index
|
# Index
|
||||||
|
Loading…
Reference in New Issue
Block a user