[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] trusting .onion services
> - How can a user reliably determine some .onion address actually
> belongs to intended owner?
The user can call the admin and ask the admin to read aloud the key
> - How is the provider of .onion service supposed to deal with a lost or
> compromised private key, especially from the point of view from the
> user of this service? How does the user know a .onion-address has
> it's key revoke?
Use any form of reliable communication to communicate the old key is
unreliable. I am not aware of a revoke system.
> By relying on
> the certificate signed by a trusted CA, the user can be sure the site he
> is connecting to is actually belongs to a particular entity. With a
> .onion address that is no longer needed since those address are
> self-authenticating. Sounds good.
No. Through hacking or criminal intent the CAs are known to generate
fake keys that are certificated too. This is why there is a SSL Observatory.
With any certificate you get that. Not only ,onion addresses. And there
are quite a few sites in clearnet with self-signed certificates.
> As far as I can tell, Facebook has two solutions to this: it
> mentions the correct address in presentations, blogs and press coverage
> wherever it can and its TLS-certificate mentions both the .onion address
> as well as it's regular address (as Subject Alt Names).
This is why there might be any number of Fakebook.com, Faeebook.com,
Facebook.net. The big players buy a lot of these domains and use the
muscle to remove the others. But that is not for everybody.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to