[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Hidden Service authorization UI



On 2014-11-09 15:30, Fabio Pietrosanti - lists wrote:
On 11/9/14 8:58 PM, Jacob Appelbaum wrote:
For example, it would be interesting if TBB would allow people to
input a password/pubkey upon visiting a protected HS. Protected HSes
can be recognized by looking at the "authentication-required" field of
the HS descriptor. Typing your password on the browser is much more
useable than editing a config file.
That sounds interesting.

Also i love this idea but i would suggest to preserve the copy&paste
self-authenticated URL property of TorHS, also in presence of authorization.

I'm conflicted about this idea. Much better for usability ~but~ there should be an option for authenticated hidden services that want to *not* prompt and instead fail silently if the key isn't in the torrc (or x.y.onion url, depending on the design).

Use case: if someone finds my hidden service url written in my planner while traveling across the border, they might visit it to see what it contains. If it offers a prompt, then they know it exists and can press me for the auth key (perhaps with an M4 carbine). If there's no prompt and the request fails, then perhaps it "used to exist" a long time ago, or I wrote down an example URL.

best,
Griffin

--
"I believe that usability is a security concern; systems that do
not pay close attention to the human interaction factors involved
risk failing to provide security by failing to attract users."
~Len Sassaman
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev