Git-Mirrors/real-world-onion-sites
1
0
Fork 0
mirror of https://github.com/alecmuffett/real-world-onion-sites.git synced 2024-09-19 23:35:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

commit: better framing

Browse Source
This commit is contained in:
Alec Muffett 2019-12-05 16:23:46 +00:00
parent dd5b3b2e34
commit 68ab4bbec4
2 changed files with 36 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
01-preamble.md
View File

@ -42,19 +42,25 @@ Mouse-over the icons for details of HTTP codes, curl exit statuses, and the numb
### TLS Security ### TLS Security
Due to the fundamental protocol differences between `HTTP` and
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are
fundamentally more secure than HTTP - e.g.:
- with respect to cookie handling, or
- where the trusted connection terminates, or
- how to deal with loading embedded insecure content
...and the necessity of broad adherence to web standards would make it
harmful to attempt to optimise just one browser (e.g. Tor Browser) to
elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP,
let alone HTTPS-over-Onion.
**tl;dr** - HTTP-over-Onion should not be considered as secure as
HTTPS-over-Onion, and attempting to force it thusly will create a
future compatibility mess for the ecosystem of onion-capable browsers.
- :wrench: semi-secure HTTP Onion site, protected by Onion circuits at - :wrench: semi-secure HTTP Onion site, protected by Onion circuits at
best; will not respect browser secure/HTTPS behaviour best; will not respect browser secure/HTTPS behaviour
- :closed_lock_with_key: secure HTTPS Onion site, protected by both - :closed_lock_with_key: secure HTTPS Onion site, protected by both
Onion circuits and TLS, will respect browser secure/HTTPS behaviour Onion circuits and TLS, will respect browser secure/HTTPS behaviour
- Due to the fundamental protocol differences between `HTTP` and
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are
fundamentally more secure than HTTP - e.g.: with respect to cookie
handling, where the trusted connection terminates, or in loading
insecure content - and the necessity of broad adherence to web
standards would make it harmful to attempt to optimise just one
browser (Tor Browser) to elevate HTTP-over-Onion to the same levels
of trust as HTTPS-over-TCP, let alone HTTPS-over-Onion.
- tl;dr - HTTP-over-Onion is not as secure as HTTPS-over-Onion, and
attempting to force it to be so will create a compatibility mess for
the ecosystem of onion-capable browsers.

30
README.md
View File

@ -42,22 +42,28 @@ Mouse-over the icons for details of HTTP codes, curl exit statuses, and the numb
### TLS Security ### TLS Security
Due to the fundamental protocol differences between `HTTP` and
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are
fundamentally more secure than HTTP - e.g.:
- with respect to cookie handling, or
- where the trusted connection terminates, or
- how to deal with loading embedded insecure content
...and the necessity of broad adherence to web standards would make it
harmful to attempt to optimise just one browser (e.g. Tor Browser) to
elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP,
let alone HTTPS-over-Onion.
**tl;dr** - HTTP-over-Onion should not be considered as secure as
HTTPS-over-Onion, and attempting to force it thusly will create a
future compatibility mess for the ecosystem of onion-capable browsers.
- :wrench: semi-secure HTTP Onion site, protected by Onion circuits at - :wrench: semi-secure HTTP Onion site, protected by Onion circuits at
best; will not respect browser secure/HTTPS behaviour best; will not respect browser secure/HTTPS behaviour
- :closed_lock_with_key: secure HTTPS Onion site, protected by both - :closed_lock_with_key: secure HTTPS Onion site, protected by both
Onion circuits and TLS, will respect browser secure/HTTPS behaviour Onion circuits and TLS, will respect browser secure/HTTPS behaviour
- Due to the fundamental protocol differences between `HTTP` and
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
as HTTPS"; web browsers *do* and *must* treat HTTPS in ways that are
fundamentally more secure than HTTP - e.g.: with respect to cookie
handling, where the trusted connection terminates, or in loading
insecure content - and the necessity of broad adherence to web
standards would make it harmful to attempt to optimise just one
browser (Tor Browser) to elevate HTTP-over-Onion to the same levels
of trust as HTTPS-over-TCP, let alone HTTPS-over-Onion.
- tl;dr - HTTP-over-Onion is not as secure as HTTPS-over-Onion, and
attempting to force it to be so will create a compatibility mess for
the ecosystem of onion-capable browsers.
---- ----
# Index # Index