[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Deploying Alt-Svc on your own website. Hello?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Deploying Alt-Svc on your own website. Hello?
From: Alec Muffett <alec.muffett@xxxxxxxxx>
Date: Sat, 22 Sep 2018 16:15:08 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 22 Sep 2018 11:15:33 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=ordAq60rfOg+0Vl22K+xegp58JRMGLr5vLISv8Cma4w=; b=GxCNy5Jpvj4S5xXoC9mpfeUAhqN4au9DoGS8KUG/WIE0iA3GT875Yj7EDlgub1ODCt Uq/iMM0ZaBchBRs1v91lVnSgcPppiqt/sltWtImGwCGuSL0xwgey5wQChc+mxID0u9Jx mVh74llDMBMcE5Q0qp0kJhZdfPvPa0FKKMp+xQMtbq4/tnqP4M0DqkSb8rDTzEC/ZGhf JKOMtZrzJK4pv+h8pT/jlIXPc/8CFpW3srYrZ3U0bKl/WcM944Stp8mjLHkg3qi22rcg v6zqpRG555iLjjGPrgppeyr78tcLi2XfuvuPzv19XCsSjPiIIYdSls+ZrsYGeUWyw7XG HnrQ==
In-reply-to: <20180922200714.26053162@natsu>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CAFWeb9L8UTivxHynqB6GRM9KxKDqorXC1Lw6RodSt35CmufGtQ@mail.gmail.com> <20180922185805.24af3717@natsu> <CABMkiz4KnXqwFX-vPkRMzqBNgC5qCiL4R0F9Qc+NCK0AG-uHSg@mail.gmail.com> <20180922200714.26053162@natsu>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On Sat, 22 Sep 2018, 16:07 Roman Mamedov, <rm@xxxxxxxxxxx> wrote:

> There is no point in running HTTPS-over-Tor-hidden-service, as .onion
> traffic
> is already authenticated and encrypted, it only adds useless overhead.

I see your point, but there are a couple of additional perspectives to be
considered:
https://medium.com/@alecmuffett/onions-certs-browsers-a-three-way-mexican-standoff-7dc987b8ebc8
- especially regarding new functionality that will be locked to HTTPS

If
> there's no way around that with the alt-svc scheme, that seems like a huge
> oversight.
>

Respecting AltSvc on port 80 would be as dangerous, possibly more
dangerous, than cleartext HTTP already is; and regards the notion of making
"onion" into a widely respected secure source equivalent to a HTTPS site,
please see the above essay.

-a
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Deploying Alt-Svc on your own website. Hello?
  - From: Traumschule

References:
- [tor-talk] Draft: Different Ways To Add Tor Onion Addresses To Your Website
  - From: Alec Muffett
- [tor-talk] Deploying Alt-Svc on your own website. Hello?
  - From: Roman Mamedov
- Re: [tor-talk] Deploying Alt-Svc on your own website. Hello?
  - From: Ben Tasker
- Re: [tor-talk] Deploying Alt-Svc on your own website. Hello?
  - From: Roman Mamedov

Prev by Author: [tor-talk] Let's not keep rehashing the past, it's dead already... (Was: Fishy MegaCorpsArchy)
Next by Author: Re: [tor-talk] alt-svc supported by TBB
Previous by thread: Re: [tor-talk] Deploying Alt-Svc on your own website. Hello?
Next by thread: Re: [tor-talk] Deploying Alt-Svc on your own website. Hello?
Index(es):
- Author
- Thread