[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] General question regarding tor, ssl and .onion.

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] General question regarding tor, ssl and .onion.
From: Seth David Schoen <schoen@xxxxxxx>
Date: Fri, 7 Aug 2015 20:16:16 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 07 Aug 2015 23:16:29 -0400
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date; bh=+ruu/rxMVsaKN8VTATqfi9ne9x4KnImRjRK6GvnbBks=; b=MudiD75AX+ZlMid6YdNWwCBNlgw1eRihx27xNfOpn19B6PCyGGGZt0Wu/bvJD1j6v9RUSkRgXvpdaKDFklbMPWl58cgJojJubJZfXtJHEmTI4SxaUryvTT9iYO7UwzTEYhDwUk2v5FCPeeUR3cWpPKbzMIhxp1Prog2Mk4ko32k=;
In-reply-to: <55C54AC7.8090709@xxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <55C54AC7.8090709@xxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)

MaQ writes:

> Hello,
> 
>      I'm curious, I'm developing an app whereas sharing/collaboration
> can be done by localhost through tor and .onion address between pairs or
> multiples. When I use standard http there seems to not be any problems
> connecting different computers, different IPs, etc. and interacting, but
> when attempting to do it under https there isn't any connection. Https
> is definitely functioning with original hosts.
> 
>      My question is, since things are already going through tor with
> .onion connections and things encrypted anyway, is not using ssl really
> presenting any sort of serious compromise on anonymity? Wouldn't it be
> sort of like encrypting the encryption?

There is an ongoing discussion about how seriously one needs HTTPS with
a .onion address.  There is already end-to-end encryption built into the
Tor hidden service design, so communications with hidden services (even
using an unencrypted application-layer protocol like HTTP) are already
encrypted.

A problem is that the encryption for the current generation of hidden
services is below-par, technically, in comparison to modern HTTPS in
browsers -- it uses less modern cryptographic primitives and shorter
keylengths than would be recommended for HTTPS today.  This will change
eventually with future updates to the hidden service protocol, but right
now there would be incremental cryptographic benefit from connecting to
a hidden service via HTTPS.  But the encryption from HTTPS in this case
serves the same purpose as the hidden service encryption, so you're indeed
"encrypting the encryption" when you use it.

Unfortunately, it's hard to do today because certificate authorities
are reluctant to issue certs for .onion names; the CA/Browser Forum
has allowed them to do so temporarily, but only EV certificates can
be issued, which cost money, take time, and sacrifice anonymity of the
hidden service operator.

The best-known example of a hidden service that managed to navigate the
process successfully is

https://facebookcorewwwi.onion/

-- 
Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] General question regarding tor, ssl and .onion.
  - From: Alec Muffett
- Re: [tor-talk] General question regarding tor, ssl and .onion.
  - From: Jeremy Rand

References:
- [tor-talk] General question regarding tor, ssl and .onion.
  - From: MaQ

Prev by Author: Re: [tor-talk] What's to be Done
Next by Author: Re: [tor-talk] General question regarding tor, ssl and .onion.
Previous by thread: [tor-talk] General question regarding tor, ssl and .onion.
Next by thread: Re: [tor-talk] General question regarding tor, ssl and .onion.
Index(es):
- Author
- Thread