[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Client identification for authenticated onions

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Client identification for authenticated onions
From: yanmaani@xxxxxxx
Date: Mon, 01 Nov 2021 09:34:21 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 07 Dec 2021 09:21:08 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cock.li; s=mail; t=1635759261; bh=/1u04mBGVF1P7zr/rTAfSPs4KwTo01dP9C3RLMzZrEE=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=KiXP7FWZVY4X4MlOwicD1QCtDbQ9RqqCRcZkc7QDvN87IuZmHfwX5E05Z/ggAIYir txoCVs3jGy3RH3ZVhTPHOaPR2eJqW7WW0U1whE2A2BC9JKYt7QFIqs0eu5sbz43mNV JoCfB+FpE5zbNrTnDcbzI7TFjGITeFJH13f+5mYZNl/LrChd/lzdOLlCX21HX68wDY MW1bYU/Ud/tysNWRQjj52DrQL4/hkOwiLzq4bPYTkuO2sD6Y0jxO4gIi7X4oS5lUDa RYOcD1H90uHPfEJQTTR2bqq1bKZ5GEe3lH1G6L0UNMlUtdLQ5dUFMTYH2KA7rTtNzN 6nevxuwV+J36w==
In-reply-to: <bf486c64-9eeb-fae8-19ff-2fc4fecad387@paperboats.net>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <bf486c64-9eeb-fae8-19ff-2fc4fecad387@paperboats.net>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Roundcube Webmail/1.3.16

On 2021-08-23 20:56, cho8jeiv4aus at paperboats.net wrote:

Hi there. I had an idea recently for an onion service to improve the UX
of sites that require a login. The site would have two onions: one for
those who want to use onion auth and another for those who don't or are

still setting it up. A user would first sign in with ausername+password

on the unauthenticated onion and click a button to generate a
certificate associated with their account. Then they would add the
public key to their browser and visit the authenticated onion. The

application server would then match the pubkey used to authenticatewith

an account in the database, and log them in automatically.


As for your case, you could maybe try client-side TLS certificates.

I've had a similar idea for DoS protection. You have two onions, callthem "open" and "closed".

In the good times, you go to the "open" onion and register. It gives youa client authentication password for "closed" and redirects you there.On subsequent logins, you just go straight to the "closed" onion. (Intheory, it's enough to have the key get you to the login screen - itdoesn't actually have to replace authentication)

Then, when the attack comes, it will take down the "open" onion.However, the "closed" onion is protected by client auth, and can berate-limited by key.

The only thing that would be needed for this is a special version ofclient authorization that allows the server to see *which* key isconnecting, as opposed to "some key but you don't know which for privacyreasons".

As an operator, an alternative would be to generate one (authenticated)
onion service per user and route them all to the same place with
different Host headers, but that seems rather inefficient, and I don't

know how well the tor daemon scales up to hundreds of onion servicesanyway.


That's not great for the network.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Prev by Author: Re: [tor-dev] A Simple Web of Trust for Tor Relay Operator IDs
Next by Author: Re: [tor-dev] A Simple Web of Trust for Tor Relay Operator IDs
Previous by thread: Re: [tor-dev] Proposal 334: A flag to mark Relays as middle-only
Next by thread: [tor-dev] Gosling onion-to-onion specifications
Index(es):
- Author
- Thread