Re: [tor-talk] trusting .onion services

[Lara <lara.tor@xxxxxxxxxxxxxxxxxxxxx>]

Rejo Zenger:
>  - How can a user reliably determine some .onion address actually
>    belongs to intended owner?

The user can call the admin and ask the admin to read aloud the key
fingerprint.

>  - How is the provider of .onion service supposed to deal with a lost or
>    compromised private key, especially from the point of view from the
>    user of this service? How does the user know a .onion-address has
>    it's key revoke?

Use any form of reliable communication to communicate the old key is
unreliable. I am not aware of a revoke system.

> By relying on
> the certificate signed by a trusted CA, the user can be sure the site he
> is connecting to is actually belongs to a particular entity. With a
> .onion address that is no longer needed since those address are
> self-authenticating. Sounds good.

No. Through hacking or criminal intent the CAs are known to generate
fake keys that are certificated too. This is why there is a SSL Observatory.

With any certificate you get that. Not only ,onion addresses. And there
are quite a few sites in clearnet with self-signed certificates.

> As far as I can tell, Facebook has two solutions to this: it
> mentions the correct address in presentations, blogs and press coverage
> wherever it can and its TLS-certificate mentions both the .onion address
> as well as it's regular address (as Subject Alt Names).

This is why there might be any number of Fakebook.com, Faeebook.com,
Facebook.net. The big players buy a lot of these domains and use the
muscle to remove the others. But that is not for everybody.

Cheers
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk