[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #13625 [DocTor]: The doc page for hidden services should discuss HTTPS issues

Subject: [tor-bugs] #13625 [DocTor]: The doc page for hidden services should discuss HTTPS issues
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sat, 01 Nov 2014 05:44:38 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 01 Nov 2014 01:44:48 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#13625: The doc page for hidden services should discuss HTTPS issues
-------------------------+------------------------
 Reporter:  patrakov     |          Owner:  atagar
     Type:  enhancement  |         Status:  new
 Priority:  normal       |      Milestone:
Component:  DocTor       |        Version:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
-------------------------+------------------------
 Currently, the doc page at https://www.torproject.org/docs/tor-hidden-
 service.html.en says nothing about providing HTTPS services, but, given
 that Facebook deployed such service, it should provide this information.

 At least the following topics should be covered:

 1. Self-identifying nature of onion domains and the questionable need for
 HTTPS: even HTTP over Tor network is encrypted, and only the owner of the
 private key can get the traffic.

 2. The Facebook case for using HTTPS: linking the hidden service to a
 real-world identity using a certificate issued by a real CA.

 3. The Facebook mistake: they did not staple the OCSP response to their
 TLS handshake. As a result, the browser contacts the OCSP responder
 provided by a CA, and some browsers (including Chrome) do so bypassing the
 Tor network and thus deanonymizing the user and defeating the whole point
 of having a hidden service.

 I am not 100% sure about the above, and thus did not edit the wiki
 directly. A good starting point for the first two issues is this text:
 https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13625>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #13625 [DocTor]: The doc page for hidden services should discuss HTTPS issues
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #13625 [Website]: The doc page for hidden services should discuss HTTPS issues
  - From: Tor Bug Tracker & Wiki

Prev by Author: [tor-bugs] #13624 [- Select a component]: Get You from Point A to Point B
Next by Author: Re: [tor-bugs] #13625 [DocTor]: The doc page for hidden services should discuss HTTPS issues
Previous by thread: [tor-bugs] #13624 [- Select a component]: Get You from Point A to Point B
Next by thread: Re: [tor-bugs] #13625 [DocTor]: The doc page for hidden services should discuss HTTPS issues
Index(es):
- Author
- Thread