Security Issue with `Onion-Location`
I don't know exactly, where to report this, but I had to do it somewhere. So, I am here.
The Tor Browser parses the
which is supposed to redirect to the Onion site of
a normal website.
It has to fulfill these criteria:
- The Onion-Location value must be a valid URL with http: or https: protocol and a .onion hostname.
- The webpage defining the Onion-Location header must be served over HTTPS.
- The webpage defining the Onion-Location header must not be an onion site.
But otherwise the website provider can put anything in this Header.
Unique identification of a user by the
And this is where I stumbled over this issue.
It occurred to me that since a website could provide any valid Onion URI in this Header, what would stop them from adding a Unique Identifier in the Header?
And if the website can then link the Onion Service request
with the clear web request, is there any point to the
Does it still have a security advantage for the user, if they can be uniquely identified between clear and hidden service.
I wrote a small script, that shows, how this would work: democraticnet.de.
On each request a different random number is added to the Onion URI and if I controlled the service of the Onion URI, I could link the request to the hidden and clear service.