I would guess the idea is you may be able to tell the user is using tor2web but not what they're accessing.
Because the domain name is sent in the clear as part of the SSL handshake (the client Hello to be precise) it discloses what is being looked at.
The only way to avoid that is to use something that is only sent once the handshake is complete - part of the request URI, the path or cookies - though each has their issues.
It'd potentially mean rewriting responses (to make sure paths are relative) but I'd be inclined to make the first section of the path identify the service - example.com/foo.onion/index.html.
Just my 2p
> i am concerned about https not being enough to protect tor2web
> users. In particular, I am concerned about what subdomain a user is
> visiting being leaked. Are there any established ways of preventing
> the subdomain from being leaked? Because none spring to my mind.
Where might this be a problem? tor2web protects the publisher not the
user. If you were worried about the user wouldn't you use Tor and
instead replace the .tor2web.org part of the address with .onion?
tor-talk mailing list - email@example.com
To unsubscribe or change other settings go to