[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: TorFaq on https for hidden services ( was: Hints and Tips for Whistleblowers )

On Thu, 28 Oct 2010 10:10:52 +0100
startx <startx@xxxxxxxxxxxxxx> wrote:

> hello.
> im starting this as  a new thread, as my question is only inspired by
> the discussion above.
> in the TorFaq
> ( https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ ) 
> it says:
>   "Why is it better to provide a hidden service Web site with HTTP
>   rather than HTTPS access? 
>   Put simply, HTTPS access puts the connecting client at higher risk,
>   because it bypasses any first-stage filtering proxy.. "
> the answer in the FAQ refers to privoxy. so i wonder now: is this
> answer obsolete meanwhile?


>                            or is it still the general recommodation to
> run hidden services without https?

I would recommend that hidden services not use HTTPS.  The Tor hidden
service protocol does an adequate job of authenticating servers and
encrypting traffic to them.  In addition, it is unlikely that any CA
that Firefox is configured to trust would issue a certificate for
a .onion hostname.

>                                    is the server (hidden service)
> privacy threatened by using https too in any way?

I don't see any risk to the server.

> the FAQ also says:
>   "These objections all apply to HTTPS, TLS, SSH, and generally all
>   cryptography over Tor, regardless of whether or not the destination
>   is a hidden service"
> which i think is causing some confusion.

Yes, that is a bad sentence.

I think it's time to nuke that FAQ entry.  (Probably long past time to
nuke it.)

Robert Ransom

Attachment: signature.asc
Description: PGP signature