[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Hiden service and session integrity

NTPT writes:

> And is it possible (and how ? ) to run end to end encrypted (ssl) web 
> traffic via tor network ?

If you mean end-to-end encrypted to a hidden service, there is a problem
in that most certificate authorities won't issue a certificate for
a .onion hostname today.  That means that the Tor Browser will give a
certificate warning when users navigate to the hidden service via HTTPS,
because the service won't be able to present a certificate that the
browser will accept.  They can still use HTTPS, but they might develop
a risky habit of ignoring or bypassing certificate warnings (which is
riskier when using the Tor Browser to visit an HTTPS site on the public
Internet, since the warning could indicate an attack from the exit node,
a situation which is far less plausible with hidden services).

There was recently a cert issued to Facebook for a .onion name, but
it's not clear when this kind of cert will be easily available to the
general public.

Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to