* on the Fri, May 24, 2013 at 07:22:28AM -0400, Tom Ritter wrote: > I guess I should have phrased this as "Can TBB talk to a SPDY enabled > HS?" or "Can users take advtange of a HS running SPDY?" I think TBB > would need to make special provisions. SPDY requires SSL, if you use > the weird "Use SPDY over plaintext" option[0] it breaks HTTP. So if > someone without a SPDY client visited x.onion, it'd break. A HS can > redirect to a SSL version it itself, but the certificate won't > validate, at least according to normal PKIX validation rules, because > no one can issue a cert for a .onion. A new CA could be generated by the Torproject and included with TBB. The CA could be completely public, so anybody is able to download its private key and generate a certificate using it. TBB could include this new CA, and also be patched so that certificates signed using this new CA only work for .onion domains. Then people could grab the CA and use it to generate a certs for their .onion address. Then we'd gain all the efficiencies provided by SPDY and none of the drawbacks of SSL certificate warnings. There should be no issue with people having access to this CA's keys as long as it's only used for .onion domains. Actually, I wonder if it's possible to just patch TBB to not do certificate verification for .onion URLs? The only drawback I can see for this is if people incorrectly import this new CA into their non-TBB browser, meaning that people could use the new CA to generate certificates for non-.onion addresses and MITM *their* connections. Maybe Mozilla would allow the Torproject to run a CA which only works for .onion domains, and include code for that restriction up-stream? SPDY *must* be much more efficient than HTTP over Tor. It has compression and multiplexing so multiple resources can be sent down the same single connection at the same time, and it has push so that the server can look at the resource that has been requested and send along all of the other relevant resources at the same time, rather than waiting for the browser to request them. Eg, browser asks for html file, so server responds by sending the html file *and* it's css, javascript and images all at the same time. Compare this to the browser requesting a HTML page, receiving the HTML page, parsing it, seeing that it needs a CSS file, requesting that, seeing that it needs a JS file, requesting that. Especially seeing as a lot of resources are fetched in the order they appear in the HTML and block other resources from being requested until they have finished being fetched themselves, eg javascript and css. SPDY is currently supported by Firefox, Chromium and Opera. A few examples of sites that already have SPDY enabled: Google.com+mail, Facebook, Twitter, Wordpress.com. Apache has a module for it: https://code.google.com/p/mod-spdy/ and the latest versions of Nginx have it built in. Yeah, I'm a fan of SPDY and I think Tor especially will benefit hugely from sites enabling it. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk