On Tue, Dec 29, 2015 at 12:27:06PM -0900, Jesse V wrote:On 12/29/2015 11:18 AM, Aeris wrote:
A few hidden services have added an
HTTPS cert but I think that's mostly for a publicity stunt than anything
else.
As indicated in the rogerâs lecture, HTTPS is usefull for HS :
- browsers handle more securely cookies or other stuff in HTTPS mode,
avoiding some possible leaks
- because anybody can create an HS and proxify any content, X.509 certs
allow users to verify the authenticity of the HS (you are on the official
Facebook HS if you have a cert with facebook.com *AND* facebookcorewwwi.onion
inside)
I've downloaded the .webm of Roger's lecture but haven't had the time
today to listen to it. My point was that HSs already have an
authentication mechanism and it's assumed that you can verify the
address through some trusted out-of-band method, so in that case you
don't need an SSL cert. This can sometimes be superior to trusting the
centralized CA model, but I agree that the points you've listed are
useful applications as well.
In case it is helpful. Griffin Boyce and I have a paper forthcoming inIEEE Security & Privacy Magazine on this topic. The final editorialchanges are not in so it might change a little, but you can find thehopefully-close-to-final version athttps://github.com/saint/w2sp-2015/blob/master/SP_SPSI-2015-09-0170.R1_Syverson.pdfIt covers- How the self-authentication of onionsites that Jesse has been noting and the SSL certs for registered-domain websites that Benoit asked about can complement each other in a variety of ways---and not just for big companies but for individuals, small businesses, local organizations, clubs, sports teams, etc.- The current state of certs for onionsites (EV only), and what the issues are that stand in the way of DV certs and a proposal for resolving them.- How this can all dovetail nicely with Let's Encrypt (an issuance and usage design that binds things together nicely so it is hard to undetectably set up a spoof onionsite of another onionsite of a registered-domain site, etc. and vice versa) once DV certs are allowed.- A description of using GPG that can be done right now while waiting for the world to catch up, and an existing example of a site that does such binding (from a small site operator who found his hosting provider was blocking access from the Tor network). We just cited one such example in the paper, but there are of course others, e.g., https://blog.patternsinthevoid.net/isis.txtaloha,Paul_______________________________________________tor-relays mailing listtor-relays@xxxxxxxxxxxxxxxxxxxxhttps://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Thanks it's useful :) I am know wondering how i can bruteforce a clear name for my site like facebook but i think it's all good for the rest :)
- benoÃt
|