[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] trusting .onion services



++ 16/01/16 15:20 -0700 - Mirimir:
>
>> Or, to rephrase it: how can a user reliably determine the .onion address
>> for a given entity without relying on the flawed CA system and without
>> the entity having a lot of visibility?
>
>I GnuPG sign pages on http://dbshmc5frbchaum2.onion and have the public
>key online in four other independent places. I recommend that users
>first verify that all five places provide the same public key. Then they
>can verify that the signatures are valid.

Yes. That sounds like a nice setup - however, with all respect, not one 
that will be adopted in a safe way by the majority of the people. It is 
not "broadly accessible". I like it a lot that sites like Facebook are 
accessible as a .onion-service as it will make these kind of security 
accessible to a broad group of people, including those with a less 
strong technical background. They (no, we all!) should have more 
accessible means to verifying the ownership of a .onion-address.


-- 
Rejo Zenger
E rejo@xxxxxxxxx | P +31(0)639642738 | W https://rejo.zenger.nl  
T @rejozenger | J rejo@xxxxxxxxx

OpenPGP   1FBF 7B37 6537 68B1 2532  A4CB 0994 0946 21DB EFD4
XMPP OTR  271A 9186 AFBC 8124 18CF  4BE2 E000 E708 F811 5ACF
Signal    05 EB 38 5C 01 0B 55 6A 19 69 E1 EF C2 99 89 EC 9C
          E4 88 3C 6F E3 7D 58 61 9B 32 E8 DB 9F ED 1B 2A

Attachment: signature.asc
Description: PGP signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk