[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Server / Browser html PGP Encryption

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Server / Browser html PGP Encryption
From: Ken Cline <cline@xxxxxxxx>
Date: Thu, 24 Sep 2015 22:18:16 -0600
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 25 Sep 2015 00:25:11 -0400
In-reply-to: <CA+QqAMM2WtEAHY_-+wOLba6=yithdTrB9+kRCJZVcJ5j9V9Fsg@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CA+QqAMM2WtEAHY_-+wOLba6=yithdTrB9+kRCJZVcJ5j9V9Fsg@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

What are you trying to accomplish?

First note that hidden servers already use RSA, the public key algorithm at the heart of OpenPGP.  The jumble of characters in the hidden service name is actually the fingerprint (or equivalent) of the service's public key.  The service sends you its full public key and your Tor client verifies its fingerprint, allowing you to authenticate the server's identity and send it messages that imposters are unable to intercept.  The extra features of OpenPGP (the protocol behind PGP, GPG, etc) don't add value here, at least not that I can see.

All of this is on top of the strong encryption of the Tor circuit which connects you to the server.

Going in the other direction, why do you want to provide an OpenPGP key to the server?  If it is for authentication,

Conversely, providing an OpenPGP across multiple session serves to identify you to the server(s) involved.  If this is what you want and you are using TLS (e.g. https), then a client certificate might be the right approach since it is already built into TLS.  I say might, because I haven't used client certs myself and don't know whether TorBrowser can be easily configured to use them.

> On 24 Sep 2015, at 2:58 PM, Darren Allen <darreneallen@xxxxxxxxx> wrote:
> 
> Once a user has joined an Onion web server, they download the servers PGP
> Public Key, and upload their own PGP Public Key.
> All HTML commication, .jpg images, etc are then encoded by the server using
> the user's Public Key.
> 
> The user has their private key attached the to Tor Browser, (The browser
> could generate a random PGP key set for each Onion site), which then
> decrypts the incoming communication back into HTML etc to be displayed in
> the browser.
> 
> All new page requests, sent by the user, are likewise encrypted using the
> Onion sites Public Key, and decrypted by the server.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Server / Browser html PGP Encryption
  - From: Darren Allen

References:
- [tor-talk] Server / Browser html PGP Encryption
  - From: Darren Allen

Prev by Author: Re: [tor-talk] Multiple IP's
Next by Author: [tor-talk] .onion address found in my website comments
Previous by thread: [tor-talk] Server / Browser html PGP Encryption
Next by thread: Re: [tor-talk] Server / Browser html PGP Encryption
Index(es):
- Author
- Thread