On 11/13/14 9:16 AM, Giovanni Pellerano wrote: > so we have to take a decision and all are not correct and contains > problems as for what they fix they open other bugs: > 1) instead of opening automatically a socksv5 to 80, portknock the > 443, if it works open the 443 and use it; (and we can cache this to > continue to use the 443, but what if an hidden service opens 80 and > 443 for differnt reasons? wi will end always serving the 443 > 2) automatically try to follow the redirect Location: > https://facebook.onion in a transparent way for the user. also this > opens to possibility for tor2web to be forced to reload reload reload > funny stuff attacking it (that will need to managed with a funny > cylcle counter)
But Facebook is issuing an HTTP 302 redirect to https://facebook.onion, and "https://"; is mapped by RFC to port 443. So: HTTP = 80 HTTPS = 443 The fix should: - Follow HTTP 302 redirect - Support "TLS/SSL" client to handle "https" The policy i would suggest considering is: - Follow HTTP 302 redirect only if goes on .onion domain - Do not validate any TLS certificate Fabio _______________________________________________ Tor2web-talk mailing list [email protected] http://lists.globaleaks.org/mailman/listinfo/tor2web-talk
