HS logins no longer work

As of yesterday I can’t logon from the Whonix site’s HS. It shows the sign-in in progress then redirects back to the main page without completing the action.

Offtopic: Whenever I open a new ticket or do a custom search on phabricator.kkkkkkkkkk63ava6.onion it always redirects me to the clearnet site.

1 Like

//cc @fortasse

I assume you mean the forums. We switched on the “force https” option in Discourse which forces the login cookie to be marked “secure.” Since the hidden service is plain HTTP, this cookie wouldn’t get set, and you wouldn’t get logged in. I turned off the “force https,” and confirmed you can log in from the HS. @Patrick, @Ego, Are you ok with keeping this off? I know that the emails generated by discourse will have HTTP links, but we have hard-redirects in place server-side to prevent people from browsing it over HTTP (unless they are using the HS).

As for the phabricator issue, forcing the .onion with HTTPS Everywhere will solve that issue for you. You can tweak the rule to only force on phabricator if you so desire.

1 Like

Good day,

Well, I switched it on intially, due to what was mentioned in this thread: Forum confirmation email contains non-TLS link Since HSTS is somewhat deceptible turning it back might not be a good, permanent option.

Also, while it might be a good temporary solution, necessitating to manually set-up the use of the hidden service phabricator shouldn’t be permanent in my eyes.

Since Let’s Encrypt seems to plan on supporting Hidden Service some time in the future, we might be able to change back to a “always https” setup when this is available: If/when will LE support .onion addresses? - #2 by jsha - Feature Requests - Let's Encrypt Community Support

Have a nice day,

Ego

2 Likes

Certainly, I am hoping to move the hidden service to https as soon as LE starts issuing certs for .onions.

3 Likes