[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Giving Hidden Services some love

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Giving Hidden Services some love
From: Christoph Volonte <christoph.volonte@xxxxxxxxx>
Date: Sun, 04 Jan 2015 09:26:09 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 04 Jan 2015 03:25:35 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=user-agent:in-reply-to:references:mime-version :content-transfer-encoding:content-type:subject:from:date:to :message-id; bh=DUPd1dD8vEAmL3mktfL/lajiHSRv8Zv3CG8W/VTBvjI=; b=h8ZhN/MAUrKEvZHAQn6NHtz07LyJq7UkoIbwxPJcO2GWs/MdCZcA+I0WbeCaQdWchw iSW0maZicn5OGBAk4aU44rZabYOW+Ig6G/4xzc3Q2AbljoBVEjAkF6R8QYMyBmsaHAqw twnlVGriq4/mO4IFW6HILFdrhRnfGHWjxMltsXzRajFGNDPW55Jb6R+ry2ZRcPsFgDcY BktWsBLA2hhj1A1EQDjh1ZUU2EnyPZwBIggr3FpnMJSEKeEvmQZ91/pweqvfDdGYPrOD GVtmzBuv2QXfvinetSBmrlP35Pk/d75ujaL80ZnbuPgn2UHAXEvOHLIcrkl1DXOQxARR 2OpQ==
In-reply-to: <54A8C4A6.3090804@xxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <54A4A69B.4020803@xxxxxxxxxx> <20150101132852.73822cef@xxxxxxxxxxxxxxxxxxxxx> <54A4C6BF.3040207@xxxxxxxxxx> <20150101143551.00c64c7e@xxxxxxxxxxxxxxxxxxxxx> <218CCDA8-6BB7-4C1C-B806-A1CEAB42A1C0@xxxxxxxxxx> <20150101170451.33e950e6@xxxxxxxxxxxxxxxxxxxxx> <54A59E83.1080300@xxxxxxxxxx> <20150102104622.3e5fb008@xxxxxxxxxxxxxxxxxxxxx> <0BE4AC7A-4DA6-4F56-8B88-9C2B93E9FC7A@xxxxxxxxxx> <CADop2NEx22J2qGspApv588uC8o32OmS8zzV5yyek_UxtMxZGiw@xxxxxxxxxxxxxx> <CAJaLD9+M8EErJ11LRGQYrYLOf+9+8dQL6RawC+3UY-ojLd=sWQ@xxxxxxxxxxxxxx> <54A607EB.1020505@xxxxxxxxxx> <CADop2NE5tY_97XdYY=UWfd_xvbByPqd95LW4Z8G4Q+m44n-YZQ@xxxxxxxxxxxxxx> <54A72481.5020108@xxxxxxxxxxxxxx> <54A72877.6090900@xxxxxxxxxxx> <54A72FFA.7090305@xxxxxxxxxx> <54A74EBD.5070407@xxxxxxxxxxxxx> <20150103132326.04b88929@xxxxxxxxxx> <54A8C4A6.3090804@xxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: K-9 Mail for Android

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Well is Tor then for the typicall user. That commes no in to my mind. Maybe im wrong...

Am 4. Januar 2015 05:42:14 MEZ, schrieb "Jesse B. Crawford" <jesse@xxxxxxxxxxxxx>:
>On 2015-01-03 05:23, Matthew Puckey wrote:
>> <snip>
>>
>> Not sure I would use DNS as an example of reliable authentication. As
>> above though, do you think current or future users would be checking
>> who issed the certificate? I don't think the typical user would. In
>> that scenerio, I would hope the difficulty in creating a too similar
>> hidden service address would create enough difference for users to
>> notice; though I might well be wrong here. But I see your point. :)
>
>What I mean is that the situations where DNS is compromised (malicious
>DNS server, malicious local network operator, malicious third party
>pulling a trick on the local network, etc...), while completely
>possible
>and important to protect against, are far less common out there in the
>wild than phishers using similar-but-wrong domains (we've probably all
>seen a usbank.com.abunchofhexcharacters.numbers.cz before).
>
>I realized that I missed something earlier. When I refer to SSL
>certificates fixing this problem, I am referring to extended validation
>(EV) certificates that validate legal entity, not to the various
>cheaper
>certificates that only validate domain.
>
>EV certificates tie a service to a real-world entity, typically by the
>CA validating organizational documents (articles of incorporation,
>charter, etc) and validating that the person who submitted the request
>is an authorized agent of the organization. The certificates then
>include as part of the principal not only the domain name of the host
>but also the legal name of the operator.
>
>What this means to users is that they get a green box in their address
>bar with the legal entity name of the hidden service operator, which
>gives them easy-peasy confidence that they are communicating with the
>right party, as verified by a trusted third party.
>
>Now, two HUGE caveats:
>
>1) Facebook does not actually have an EV cert for their hidden service!
>they have an OV cert with O=Facebook, Inc. but for various (largely
>political but still largely valid) reasons Firefox does not trust the O
>field and considers OV certificates no better than DV [1]. So why does
>Facebook use SSL..? I don't know, perhaps they think that providing the
>O field is significant (I'd say that it isn't because browsers don't
>tell the user about it), or perhaps it's just for consistency with
>their
>open web presence.
>
>2) Don't think that I'm an advocate of the present CA infrastructure,
>it's a terrible approach to the problem. But it is the approach that we
>have right now. :)
>
>Overall, what should be done? Layering SSL on top of the hidden service
>system is not a good solution to the problem, but I'm also not
>comfortable with just saying "users should be smart enough to validate
>that they have the right address" and relying on the difficulty in
>producing a near-collision address (keep in mind that many "important"
>hidden services do not have a vanity address at all or have only
>generated an address with a small number of chosen characters).
>
>Probably the best solution is that hidden services that are attractive
>for phishing/misdirection (just about anyone doing business in bitcoin
>for example) should implement measures like showing secrets to the user
>to prove the service identity, and users should of course beware. But
>this solution requires service operator and user participation, making
>it far less than ideal.
>
>Hopefully I made my meaning more clear.
>
>jc
>--
>Jesse B. Crawford
>Student, Information Technology
>New Mexico Inst. of Mining & Technology
>
>https://jbcrawford.us // jesse@xxxxxxxxxxxxx
>https://cs.nmt.edu/~jcrawford // jcrawford@xxxxxxxxxx
>--
>tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
>To unsubscribe or change other settings go to
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

- --
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQJNBAEBCgA3BQJUqPkhMBxDaHJpc3RvcGggVm9sb250ZSA8Y2hyaXN0b3BoLnZv
bG9udGVAZ21haWwuY29tPgAKCRDJZ1TSvj0l9boEEACaWyMM0/CB/Lx52MJeik5i
oAPKc4bkkvJbK+xw0FKQ0MxQXLJzw61Lityb3E0FuvHgAsuVPBHXV7JDZd0SelTW
ptJNVaGUK5/d4dfMFU7ynvqGzzOO8ZlxW6GmGkyoAs3s9tD0QOf0ifCH9FhP/2qp
JWDCVUUNXT1OhaUEPEb9XxZ2LlJn7eQo4yrX2+ECpaygkATbL7AMCzPYnyM0LODP
fXREd2wZFDij5J00VFx3QhLmWax5laF3RPkeJLD1Oap0VjVcTNRTWvpV9Xlq+Ibg
uEL4LrR8LtYsGQ1tqMVtHcnYbduxNhhvRBCgyYpzq7LneiDH8rkyAEOJJjzVuIyT
x9ljB9SIIOouJZbgSkYST5m0CSMFsRXFjJ+jXcYXZx307dFhG4t5SMkGp6QyOcSy
Z0Gf1ClcMcdATxwX2zjXZ0mHhHYHMx9EUhrbcq1rfFuM0jg1tUcLXb/1S5nGTt7z
ApU7sCEBf9BSUIt+5U1U6TxWM7+SEygM65EWMgg8MBE0mSx5AiktqJBCDuji5TTJ
FAfX1mUhD5tALwmPK3vDIzUB3dZkcVILjwIHX2i67U0AHvuuX0qdoL+tQ19RfPDB
BXSjDk7HOpcWoZ3JG/6I3d3wd8pcdNGgMRyRx3AOsgZtFfkr6Y/xA4Dhy/MGTR8T
PdpTpZD1vqvFHFTUpkFwMw==
=Y9Hu
-----END PGP SIGNATURE-----

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] Giving Hidden Services some love
  - From: Katya Titov
- Re: [tor-talk] Giving Hidden Services some love
  - From: Colin Mahns
- Re: [tor-talk] Giving Hidden Services some love
  - From: Katya Titov
- Re: [tor-talk] Giving Hidden Services some love
  - From: Colin Mahns
- Re: [tor-talk] Giving Hidden Services some love
  - From: Virgil Griffith
- Re: [tor-talk] Giving Hidden Services some love
  - From: Xiaolan.Me
- Re: [tor-talk] Giving Hidden Services some love
  - From: Thomas White
- Re: [tor-talk] Giving Hidden Services some love
  - From: Virgil Griffith
- Re: [tor-talk] Giving Hidden Services some love
  - From: Moritz Bartl
- Re: [tor-talk] Giving Hidden Services some love
  - From: Josef 'veloc1ty' Stautner
- Re: [tor-talk] Giving Hidden Services some love
  - From: s7r
- Re: [tor-talk] Giving Hidden Services some love
  - From: Jesse B. Crawford
- Re: [tor-talk] Giving Hidden Services some love
  - From: Matthew Puckey
- Re: [tor-talk] Giving Hidden Services some love
  - From: Jesse B. Crawford

Prev by Author: Re: [tor-talk] Vidalia is closing tor's SOCKSPort listener (#8304?)
Next by Author: [tor-talk] please advise on renting a gigabit capable dedicated server
Previous by thread: Re: [tor-talk] Giving Hidden Services some love
Next by thread: Re: [tor-talk] Giving Hidden Services some love
Index(es):
- Author
- Thread