[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] General question regarding tor, ssl and .onion.

To: "tor-talk@xxxxxxxxxxxxxxxxxxxx" <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-talk] General question regarding tor, ssl and .onion.
From: Alec Muffett <alecm@xxxxxx>
Date: Sun, 9 Aug 2015 12:58:05 +0000
Accept-language: en-GB, en-US
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 09 Aug 2015 09:07:09 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=OUUOmYtbyu1l1bmGvdAEUAQReYqDwRpGigsFPJIQhIw=; b=IwzCXeJUXRK3Lv6qNNpptWdeYlDKa2Ua9rZDGrFnzmgW4o8ZqauIBRpCP9B8tc2HHFzG k1E1j/KPmsSNaqwZCriatmgjYqpGomaGckA7N9nK3+60axOMQ73qxYzRbvPk2X4xOXn5 NoZZORo6CFx1ycE2l+flGgVVnwbU6MLu07k=
In-reply-to: <20150808031616.GJ9483@xxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <55C54AC7.8090709@xxxxxxxxxxxx> <20150808031616.GJ9483@xxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
Thread-index: AQHQ0W/BVbs5yN5Dl0Wqv/xUKz7qTZ4B46UAgAI06YA=
Thread-topic: [tor-talk] General question regarding tor, ssl and .onion.

On Aug 8, 2015, at 4:16 AM, Seth David Schoen <schoen@xxxxxxx> wrote:
> 
> There is an ongoing discussion about how seriously one needs HTTPS with
> a .onion address.  There is already end-to-end encryption built into the
> Tor hidden service design, so communications with hidden services (even
> using an unencrypted application-layer protocol like HTTP) are already
> encrypted.

Iâd like to echo the contents of this thread so far - it appears to be well-grounded in reality - but add that "lack of SSL" would have been a deal-breaker for Facebookâs deployment of an Onion site.  It would have not happened.

The reason is simply that HTTP and HTTPS have diverged (and are apparently likely to diverge further?) in how they treat (eg:) secure cookies, and rolling a custom version of our codebase to know and understand that âHTTP over Onionâ will/may/will-not have features like referrer-scrubbing or CORS in a HTTPS-sympathetic manner (whilst the scheme in the request still *says* that it arrived over HTTP) would be complex.

I personally feel that to expect more common codebases such as Wordpress or Drupal to special-case Onion addresses would be presumptuous, be unlikely, add cost, and inhibit Onion adoption. Making âOnionâ into a security âspecial caseâ for HTTP would be a nightmare as Randall Munroe explains: https://xkcd.com/927/ <https://xkcd.com/927/>

My personal preference is to think of â.onionâ as the better-than-opportunistic crypto we once sought from IPsec+AH+ESP, since itâs clearly a transport protocol - after all, you can run SSH over it - and then layer vanilla HTTPS over that.  Other than extraordinarily contrived threat model circumstances, I cannot see a reason not to have both. Informal chats with folk near the CA/B-Forum have suggested that non-corporate/non-EV Onion certs may be a possibility in the future.  It might be good to have a few of them around as examples in order to be exemplars of that need.

    -a

â
Alec Muffett
Security Infrastructure
Facebook Engineering
London

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] General question regarding tor, ssl and .onion.
  - From: MaQ
- Re: [tor-talk] General question regarding tor, ssl and .onion.
  - From: Seth David Schoen

Prev by Author: Re: [tor-talk] IBM says Block Tor
Next by Author: Re: [tor-talk] Can't download my Facebook archive via Tor Browser
Previous by thread: Re: [tor-talk] General question regarding tor, ssl and .onion.
Next by thread: Re: [tor-talk] General question regarding tor, ssl and .onion.
Index(es):
- Author
- Thread