Open DonnchaC opened 8 years ago
Great idea!
For example, all subdomains of oniongate.com
are delegated to our service. The service will have API which takes onion address and provides random subdomain for it. (Or it can take the subdomain as well, but it should be done carefully not to give subdomains like www
.) We can store map[domain]onion
in etcd and consult with it in TXT DNS requests sent by entry_proxy
.
To prevent flooding, the API will check existence of the onion site provided by connecting to its 443 port. Creation of working onion address is time consuming procedure, so it can work as proof of work in this situation.
Should subdomains expire if onion address is dead?
Should we provide an option to edit mapping (change onion address behind a subdomain)?
All hidden service endpoints need to have a valid CA-signed TLS certificate for the oniongatway to be useful. This process is now much easier with the free LetsEncrypt certificate authority. We should write a library/agent to automate this process for end users and for application developers.
Use Case
An OnionShare user would like to securely and anonymously send a file to a journalist. This journalist is not using Tor. It should be possible for the user to open OnionShare and choose to "Make a public link.
This would automatically connect to an API on a public oniongateway resolver and register a subdomain which gets pointed at the ephemeral OnionShare hidden service. The oniongateway agent will then request a TLS certificate from LetsEncrypt by using the TLS SNI domain validation method. LetsEncrypt will issue the cert and the webserver in OnionShare gets reconfigured to also listen on port 443 with the new TLS cert.
The user now has the option to copy their URL as
http://jfiawjx47wnbpxag.onion/49500b26fcfd9a17dc061f83f56a4753
orhttps://life-size-metalhead.oniongate.com