Here's a small historical curiosity: In HTTPS Everywhere, the functionality used to be call "Block all HTTP requests" but when that functionality was changed (back in 2016 [0]) to not block connections to non-HTTPS hidden services, it was renamed to "Block all unencrypted requests".<p>I just checked, and indeed Tor Browser 11.5 does not block non-HTTPS connections to hidden services, even when in "HTTPS-Only" mode. Thankfully.<p>[0]: <a href="https://github.com/EFForg/https-everywhere/pull/4370" rel="nofollow">https://github.com/EFForg/https-everywhere/pull/4370</a>
Any update on this <a href="https://blog.torproject.org/domain-fronting-critical-open-web/" rel="nofollow">https://blog.torproject.org/domain-fronting-critical-open-we...</a><p>As I get it, to connect to bridges (get data) it will use normal clearnet https. But, to avoid getting yourself flagged (at the time you are getting data about bridges), it will use moat and pretend to connect to Microsoft Azure servers to get the info about bridges.
The blog post is from 2018, so is tor project still using azure, or did the whole 'domain-fronting' feature get blocked from azure too just like AWS and google.
Great. I used to have HTTPS Everywhere extension installed in Tor Browser Bundle, with the EASE/Encrypt All Sites Eligible toggle turned on to avoid browsing HTTP only sites during casual surfing. Some exit nodes are malicious and slurp up plaintext HTTP and there is the risk of leaking stuff with plaintext sites. With a native implementation of HTTPS-Only I don’t have to install an addon and it will force people to not browse HTTP sites, unless they turn it off which adds to the fingerprintability of the browser, so I would recommend against messing with the default setting.