[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] HTTPS to hidden service unecessary?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] HTTPS to hidden service unecessary?
From: "Fabio Pietrosanti (naif)" <lists@xxxxxxxxxxxxxxx>
Date: Tue, 10 Jul 2012 07:59:16 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 10 Jul 2012 01:58:52 -0400
In-reply-to: <1341866992.17843.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <1341864625.92829.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <4FFB3CE7.7040405@xxxxxxxxxxxxxxx> <1341866992.17843.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20120614 Thunderbird/13.0.1

On 7/9/12 10:49 PM, Juenca R wrote:
>> - You want SSL client authentication
>>
>> - You want to use particular key exchange like TLS SRP
>> https://github.com/trevp/tlslite
> 
> these two things are really esoteric arent they?  i mean, good technology, but not used very often?
Client side authentication is widely used within e-governmental services
with smartcard. Maybe one day some government will try using Tor HS? :-)

TLS SRP is just relatively new, not "esoteric", and imho it will get a
wider uses, as it's TLS with shared-secret authentication rather than
CA-based authentication.
Especially by thinking about possibly future integration with upcoming
Javascript TLS implementation https://github.com/digitalbazaar/forge .

However if you don't need, just don't care.

>> - You want the client to be able to trust a specific certificate and/or
>> CA that you already trusted over the internet/intranet
> 
> good point, although the domain will mis-match so you might still have a problem of user needs to confirm security exception

You can have multiple hostname within the same certificate.

At the same time you may have your own private CA (like most big
enterprises does), trust that and use that for "internet" hostname and
"darknet" hostnames.

-naif
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] HTTPS to hidden service unecessary?
  - From: Juenca R
- Re: [tor-talk] HTTPS to hidden service unecessary?
  - From: Fabio Pietrosanti (naif)
- Re: [tor-talk] HTTPS to hidden service unecessary?
  - From: Juenca R

Prev by Author: Re: [tor-talk] HTTPS to hidden service unecessary?
Next by Author: Re: [tor-talk] hidden services 2.0 brainstorming
Previous by thread: Re: [tor-talk] HTTPS to hidden service unecessary?
Next by thread: Re: [tor-talk] HTTPS to hidden service unecessary?
Index(es):
- Author
- Thread