[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] General question regarding tor, ssl and .onion.



MaQ writes:

> Hello,
> 
>      I'm curious, I'm developing an app whereas sharing/collaboration
> can be done by localhost through tor and .onion address between pairs or
> multiples. When I use standard http there seems to not be any problems
> connecting different computers, different IPs, etc. and interacting, but
> when attempting to do it under https there isn't any connection. Https
> is definitely functioning with original hosts.
> 
>      My question is, since things are already going through tor with
> .onion connections and things encrypted anyway, is not using ssl really
> presenting any sort of serious compromise on anonymity? Wouldn't it be
> sort of like encrypting the encryption?

There is an ongoing discussion about how seriously one needs HTTPS with
a .onion address.  There is already end-to-end encryption built into the
Tor hidden service design, so communications with hidden services (even
using an unencrypted application-layer protocol like HTTP) are already
encrypted.

A problem is that the encryption for the current generation of hidden
services is below-par, technically, in comparison to modern HTTPS in
browsers -- it uses less modern cryptographic primitives and shorter
keylengths than would be recommended for HTTPS today.  This will change
eventually with future updates to the hidden service protocol, but right
now there would be incremental cryptographic benefit from connecting to
a hidden service via HTTPS.  But the encryption from HTTPS in this case
serves the same purpose as the hidden service encryption, so you're indeed
"encrypting the encryption" when you use it.

Unfortunately, it's hard to do today because certificate authorities
are reluctant to issue certs for .onion names; the CA/Browser Forum
has allowed them to do so temporarily, but only EV certificates can
be issued, which cost money, take time, and sacrifice anonymity of the
hidden service operator.

The best-known example of a hidden service that managed to navigate the
process successfully is

https://facebookcorewwwi.onion/

-- 
Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk