[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] HTTPS and Tor Onion v3 Services

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] HTTPS and Tor Onion v3 Services
From: grarpamp <grarpamp@xxxxxxxxx>
Date: Fri, 28 Dec 2018 14:06:27 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 02 Jan 2019 21:52:31 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=NzsN9/f1fwzqQfyenNpBbQedwO3s1pAv5jFpmJANzCI=; b=JtkBXvVdqacsinF9mlfX4pZ60cRim+YmAcw4+vKlVQRkFye2w21pBkm5agl0kE7eKW dhGsHq5saomZEkap8A9BEFcTPB5rKsCouNTzYnY/cYmAmqF7/Y/sFZAvR5JDFslqW0e4 EUAthmIS6V8rxF0BdNUssaHGAEwJUuYpRK4VppEROzWoEkb99iNfPb/4Vi5vv7wQuwQL VDdr4mqkFXrOhqMCzyAyex+1+BGUBx9QTUw5eUJMTfcRhsvZ7j5lOeElS7Lyx9NDXXSk MdNSgisIb8VeMXqRZKmfmkEiAXspF8yWxIRFos12GuO4bkKtL5MmGk3AbfJdHap1yLq1 wq5g==
In-reply-to: <LUpoYyY--3-1@lunorian.is>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <LUpoYyY--3-1@lunorian.is>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

> sign a
> self-signed tls certificate with your Onion Service's hs_ed25519_secret_key
> and Tor Browser trusting the tls certificate based on this signature

- In unlikely case tor crypto fails or breaks, e2e TLS
is good there.
- An admin might terminate onions on one box, and
forward the plaintext off to other places, e2e TLS
is good there.
- Onionland does have some PKI, CA, pinning, and
tor signing infrastructures.
- Admins might want to play, learn, and do it just
because they can.

The browser either has options to import and trust an
onion sig over a cert, or you need to add it, or skip it
and use today's typical cert methods.

The concepts apply to both v2 and v3 onions.

> Would this approach work?

Manually for you, and by users, loading and configuring things, yes.
Automagically, browser would need to fetch pubkeys from
controller hsdir consensus, observatories, or other methods.

> Would it be worth the effort?

For whatever ca / pki structures are already good for, or not.
And might help against the rewriting onion proxies...
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] HTTPS and Tor Onion v3 Services
  - From: grarpamp

References:
- [tor-dev] HTTPS and Tor Onion v3 Services
  - From: Nathaniel Suchy

Prev by Author: Re: [tor-dev] New Proposal: Preferring IPv4 or IPv6 based on IP Version Failure Count
Next by Author: Re: [tor-dev] HTTPS and Tor Onion v3 Services
Previous by thread: [tor-dev] HTTPS and Tor Onion v3 Services
Next by thread: Re: [tor-dev] HTTPS and Tor Onion v3 Services
Index(es):
- Author
- Thread