|
|
|
|
|
|
by cyphar
1872 days ago
|
|
|
The HSTS preload checking service doesn't support .onion URLs (not to mention you can only get EV certificates for .onion URLs). However, Tor onion services cannot be MITM'd by an exit node, because you don't use exit nodes and the connection is end-to-end encrypted (and authenticated -- the URL is also the public key of the hidden service so you'd need their key to spoof the service). So arguably .onion URLs are far harder to attack in this manner than TLS, and the HSTS preload list isn't needed at all to protect .onion URLs. |
|
|