[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] What good is using Facebook through https://facebookcorewwwi.onion/ ?
Hi Virgil,
I think pinning might be sufficient. DNSSEC is so minimally deployed
as to not be a significant factor. See "Measuring the Practical Impact
of DNSSEC Deployment" from USENIX Sec 2013. Certificate transparency
will probably be providing records assurance sooner.
After sending I also thought I should have mentioned that the DNS
lookup is visible (often over separate paths than the connection to
Facebook) whether or not it is hijacked. And maybe Facebook in
particular has employed adequate other things. I was taking Facebook
as not just the specific concern but as an exemplar of what using
onion addresses gets you when you are not trying to hide network
location. The self-authentication of onion addresses and the
communications entirely "within" Tor applies to other sites as
well. And for both Facebook and those sites these provide additional
assurance whether or not certificate pinning or other mechanisms have
been deployed.
aloha,
Paul
On Tue, Sep 22, 2015 at 12:53:23PM +0000, Virgil Griffith wrote:
> Paul: correct me if I'm wrong, but doesn't Facebook's key-pinning for CA
> Cert, and then DNSSEC for records, solve these concerns?
>
> -V
>
> On Sat, 19 Sep 2015 at 22:42 Paul Syverson <paul.syverson@xxxxxxxxxxxx>
> wrote:
>
> > You are also not vulnerable to any DNS hijack since address lookup
> > does not use the DNS system. Likewise BGP hijacks are diminished in
> > value. But perhaps more important than either of these, any CA hijack
> > or shenanigans are greatly diminished in usefulness. You might want to
> > look at a short position paper we have that discusses this:
> > "Genuine onion: Simple, Fast, Flexible, and Cheap Website Authentication"
> > pdf of paper and
> > slides available at http://ieee-security.org/TC/SPW2015/W2SP/
> >
> > We also have a revised and expanded paper reflecting subsequent
> > developments in the works.
> >
> > aloha,
> > Paul
> >
> > On Sat, Sep 19, 2015 at 09:33:51AM +0000, Virgil Griffith wrote:
> > > The usual example given for this is, "if you don't want to share your
> > > amount of Facebook use with your ISP or the NSA, Facebook supports you
> > > doing that."
> > > On Sat, 19 Sep 2015 at 17:19 Martijn Grooten <martijn@xxxxxxxxxxxxxxxxxx
> > >
> > > wrote:
> > >
> > > > On Sat, Sep 19, 2015 at 09:19:12AM +0300, Qaz wrote:
> > > > > What good does https://facebookcorewwwi.onion/ bring? I think there
> > are
> > > > > but not much and not that far away from the benefits one can have
> > > > > logging in via mainstream browsers such as Firefox and Chrome.
> > > >
> > > > Perhaps you're on a secret mission somewhere and want to log into
> > > > Facebook, without letting even Facebook know where you are.
> > > >
> > > > Perhaps you can't access Facebook from where you are, but can access
> > > > Tor.
> > > >
> > > > Perhaps neither applies to you, but you just want to make sure those
> > > > people to whom it does apply don't stand out.
> > > >
> > > > Perhaps you think all Internet traffic should use onion routing.
> > > >
> > > > Perhaps there's another reason for using it that you don't want to
> > > > share, which should be fine: one shouldn't generally have to explain
> > why
> > > > one uses Tor.
> > > >
> > > > Martijn.
> > > > --
> > > > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > > > To unsubscribe or change other settings go to
> > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > > >
> > > --
> > > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > > To unsubscribe or change other settings go to
> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > --
> > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> >
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk