Security Issue with `Onion-Location`
I don't know exactly, where to report this, but I had to do it somewhere. So, I am here.
Onion-Location
Header
The The Tor Browser parses the Onion-Location
Header,
which is supposed to redirect to the Onion site of
a normal website.
It has to fulfill these criteria:
- The Onion-Location value must be a valid URL with http: or https: protocol and a .onion hostname.
- The webpage defining the Onion-Location header must be served over HTTPS.
- The webpage defining the Onion-Location header must not be an onion site.
(Source: https://community.torproject.org/onion-services/advanced/onion-location/)
But otherwise the website provider can put anything in this Header.
Onion-Location
Unique identification of a user by the And this is where I stumbled over this issue.
It occurred to me that since a website could provide any valid Onion URI in this Header, what would stop them from adding a Unique Identifier in the Header?
And if the website can then link the Onion Service request
with the clear web request, is there any point to the
Onion-Location
Header?
Does it still have a security advantage for the user, if they can be uniquely identified between clear and hidden service.
Example
I wrote a small script, that shows, how this would work: democraticnet.de.
On each request a different random number is added to the Onion URI and if I controlled the service of the Onion URI, I could link the request to the hidden and clear service.