[tor-bugs] #13625 [DocTor]: The doc page for hidden services should discuss HTTPS issues
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Nov 1 05:44:38 UTC 2014
#13625: The doc page for hidden services should discuss HTTPS issues
-------------------------+------------------------
Reporter: patrakov | Owner: atagar
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: DocTor | Version:
Keywords: | Actual Points:
Parent ID: | Points:
-------------------------+------------------------
Currently, the doc page at https://www.torproject.org/docs/tor-hidden-
service.html.en says nothing about providing HTTPS services, but, given
that Facebook deployed such service, it should provide this information.
At least the following topics should be covered:
1. Self-identifying nature of onion domains and the questionable need for
HTTPS: even HTTP over Tor network is encrypted, and only the owner of the
private key can get the traffic.
2. The Facebook case for using HTTPS: linking the hidden service to a
real-world identity using a certificate issued by a real CA.
3. The Facebook mistake: they did not staple the OCSP response to their
TLS handshake. As a result, the browser contacts the OCSP responder
provided by a CA, and some browsers (including Chrome) do so bypassing the
Tor network and thus deanonymizing the user and defeating the whole point
of having a hidden service.
I am not 100% sure about the above, and thus did not edit the wiki
directly. A good starting point for the first two issues is this text:
https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13625>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list