On Thu, 28 Oct 2010 10:10:52 +0100 startx <startx@xxxxxxxxxxxxxx> wrote: > hello. > > im starting this as a new thread, as my question is only inspired by > the discussion above. > > in the TorFaq > ( https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ ) > it says: > > "Why is it better to provide a hidden service Web site with HTTP > rather than HTTPS access? > > Put simply, HTTPS access puts the connecting client at higher risk, > because it bypasses any first-stage filtering proxy.. " > > > the answer in the FAQ refers to privoxy. so i wonder now: is this > answer obsolete meanwhile? Yes. > or is it still the general recommodation to > run hidden services without https? I would recommend that hidden services not use HTTPS. The Tor hidden service protocol does an adequate job of authenticating servers and encrypting traffic to them. In addition, it is unlikely that any CA that Firefox is configured to trust would issue a certificate for a .onion hostname. > is the server (hidden service) > privacy threatened by using https too in any way? I don't see any risk to the server. > the FAQ also says: > > "These objections all apply to HTTPS, TLS, SSH, and generally all > cryptography over Tor, regardless of whether or not the destination > is a hidden service" > > which i think is causing some confusion. Yes, that is a bad sentence. I think it's time to nuke that FAQ entry. (Probably long past time to nuke it.) Robert Ransom
Attachment:
signature.asc
Description: PGP signature