[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Client identification for authenticated onions

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Client identification for authenticated onions
From: Shannon via tor-dev <tor-dev@xxxxxxxxxxxxxxxxxxxx>
Date: Sun, 12 Dec 2021 19:01:32 +0000
Cc: Shannon <plexi99@xxxxxxxxxxxxxx>
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 20 Mar 2022 16:23:40 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail2; t=1639335693; bh=NxkwpeEtUU4b0m/MRRmbvPKslnT3luJdIQ+pq8tO7Ig=; h=Date:To:From:Reply-To:Subject:Message-ID:In-Reply-To:References: From:To:Cc; b=lw5UhuqiRvRv8x+Q6+BawGcmHYRKJ3qbE7BtHswwBlNU5H1+rIj1ciw66mOBRidN1 mYjf2Uilh/G4aoBtxol0bUIBFmnsrIHEkP5GyENz8wGC95v7HQS1dAXyOVw0rM2iRi y75y2+8KE3EDCrf3c7FIQHNtI+m/JwiKvwUOWuNvwXqArVQ13QI+MlFViN3fK4V4Im li5K7MQF86Xb2Bn7YBggt1SMYx7uOtttwRQOam6grGT//R9nl51r/+fc9BWW2jQTTV 2jokMj8oqekQek3D1CATcYbDfMop4GfrZyUZ2HD/MnrXEidosaozPIJldNgTsUHVXl +MqktazOt4i5w==
In-reply-to: <cadf6bda10f92b95fc50d0452952b7b3@cock.li>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <bf486c64-9eeb-fae8-19ff-2fc4fecad387@paperboats.net> <cadf6bda10f92b95fc50d0452952b7b3@cock.li>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

unsubscribe

Regards,
Shannon

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Tuesday, December 7th, 2021 at 9:21 AM, <yanmaani@xxxxxxx> wrote:

> On 2021-08-23 20:56, cho8jeiv4aus at paperboats.net wrote:
>
> > Hi there. I had an idea recently for an onion service to improve the UX
> >
> > of sites that require a login. The site would have two onions: one for
> >
> > those who want to use onion auth and another for those who don't or are
> >
> > still setting it up. A user would first sign in with a
> >
> > username+password
> >
> > on the unauthenticated onion and click a button to generate a
> >
> > certificate associated with their account. Then they would add the
> >
> > public key to their browser and visit the authenticated onion. The
> >
> > application server would then match the pubkey used to authenticate
> >
> > with
> >
> > an account in the database, and log them in automatically.
>
> As for your case, you could maybe try client-side TLS certificates.
>
> I've had a similar idea for DoS protection. You have two onions, call
>
> them "open" and "closed".
>
> In the good times, you go to the "open" onion and register. It gives you
>
> a client authentication password for "closed" and redirects you there.
>
> On subsequent logins, you just go straight to the "closed" onion. (In
>
> theory, it's enough to have the key get you to the login screen - it
>
> doesn't actually have to replace authentication)
>
> Then, when the attack comes, it will take down the "open" onion.
>
> However, the "closed" onion is protected by client auth, and can be
>
> rate-limited by key.
>
> The only thing that would be needed for this is a special version of
>
> client authorization that allows the server to see which key is
>
> connecting, as opposed to "some key but you don't know which for privacy
>
> reasons".
>
> > As an operator, an alternative would be to generate one (authenticated)
> >
> > onion service per user and route them all to the same place with
> >
> > different Host headers, but that seems rather inefficient, and I don't
> >
> > know how well the tor daemon scales up to hundreds of onion services
> >
> > anyway.
>
> That's not great for the network.
>
> tor-dev mailing list
>
> tor-dev@xxxxxxxxxxxxxxxxxxxx
>
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Prev by Author: Re: [tor-dev] Gosling onion-to-onion specifications
Next by Author: Re: [tor-dev] [dappy] Willing to chat with tor devs, about name system issues/solutions
Previous by thread: [tor-dev] compiling torsocks
Next by thread: Re: [tor-dev] The case for Tor-over-QUIC
Index(es):
- Author
- Thread