<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 3 April 2017 at 16:59, Ian Goldberg <span dir="ltr"><<a href="mailto:iang@cs.uwaterloo.ca" target="_blank">iang@cs.uwaterloo.ca</a>></span> wrote:</div><div class="gmail_quote"><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-im" style="font-size:12.8px">> How about this, though: I know that Tor doesn't want to be in the business<br></span><span class="gmail-im" style="font-size:12.8px">> of site reputation, but what if (eg) Protonmail offers a Onion "Safe<br></span><span class="gmail-im" style="font-size:12.8px">> Browsing" extension some day, of known-bad Onions for malware reasons?</span></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-im" style="font-size:12.8px"><br></span><span style="font-size:12.8px">That's a quite good motivating example, thanks!</span></blockquote><div class="gmail_quote"><br></div><div class="gmail_quote">#Yay; I'm also thinking of other plugins (in the cleartext world, HTTPSEverywhere is the best example) which provide value to the user by mechanically mutating URIs which match some canonical DNS domain name; because Onion addresses are more like Layer-2 addresses*, development of similar plugins benefits greatly from enforced "canonicality" (sp?) than is necessary for equally-functional DNS equivalents; there is no means to "group" three disparate Onion addresses together just-because they are all owned by (say: Facebook), and if each address has 8 possible representations then that's 24 rules to match against...</div><div class="gmail_quote"><br></div><div class="gmail_quote"><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">> There's quite a gulf between stripping hyphens from a candidate onion<br>
> address and doing strcmp(), versus either drilling into the candidate<br>
> address to compute the alternative forms to check against the blacklist, or<br>
> even requiring the blacklist to be 8x larger?<br>
<br>
</span>Yes, that's true. I'm definitely in favour of the "multiply by L (the<br>
order of the group) and check that you get the identity element; error<br>
with 'malformed address' if you don't" to get rid of the torsion point<br>
problem.<br></blockquote><div><br></div><div>I heard that and AMS and it sounds a fabulous idea, although I am still too much of an EC noob to appreciate it fully. :-) </div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">If the daily descriptor uploaded to the point<br>
Hash(onionaddr, dailyrand) contained Hash(onionaddr, dailyrand) *in* it<br>
(and is signed by the master onion privkey, of course), then tor<br>
could/should check that it reached that location through the "right"<br>
onion address.<br></blockquote><div><br></div><div>That sounds great, and I think it sounds an appropriate response, but again I am a Prop224 and EC noob. :-)</div><div><br></div><div>I would like, for two paragraph, to go entirely off-piste and ask a possibly irrelevant and probably wrong-headed question: </div><div><br></div><div>/* BEGIN PROBABLY WRONG SECTION */</div><div>I view Onions as Layer-2 addresses, and one popular attack on Ethernet Layer 2 is ARP-spoofing. Imagine $STATE_ACTOR exfiltrates the private key material from $ONIONSITE and wants to silently and partially MITM the existing site without wholesale owning or tampering with it. Can they make any benefit from multiple ("hardware MAC-address") keys colliding to one address? Is there any greater benefit to $STATE_ACTOR from this than (say) publishing lots of fake/extra introduction points for $ONIONSITE and using those to interpose themselves into communications?</div><div><div>/* END PROBABLY WRONG SECTION */</div></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I'm afraid the details of what's in that daily descriptor are not in my<br>
brain at the moment. Does it contain its own (daily blinded) name under<br>
the signature?<br></blockquote><div><br></div><div><punt/> George?</div><div><br></div><div> -a</div><div><br></div></div><div>--</div><div>* Layer-2 analogy: <a href="https://twitter.com/AlecMuffett/status/802161730591793152">https://twitter.com/AlecMuffett/status/802161730591793152</a></div><div><br></div><div><br></div>-- <br><div class="gmail_signature"><a href="http://dropsafe.crypticide.com/aboutalecm" target="_blank">http://dropsafe.crypticide.com/aboutalecm</a><br></div>
</div></div>