[tor-dev] Hidden Service authorization UI

grarpamp grarpamp at gmail.com
Sun Nov 9 23:49:31 UTC 2014

On Sun, Nov 9, 2014 at 3:30 PM, Fabio Pietrosanti - lists
<lists at infosecurity.ch> wrote:
> On 11/9/14 8:58 PM, Jacob Appelbaum wrote:
>>> For example, it would be interesting if TBB would allow people to
>>> input a password/pubkey upon visiting a protected HS. Protected HSes
>>> can be recognized by looking at the "authentication-required" field of
>>> the HS descriptor. Typing your password on the browser is much more
>>> useable than editing a config file.
>> That sounds interesting.
> Also i love this idea but i would suggest to preserve the copy&paste
> self-authenticated URL property of TorHS, also in presence of authorization.
> It could be done with a parameter in the URL
> http://blahblah.onion/?authTorHBauBauMeowMeow=PASSWORD
> Or it could be done with a URL handler httpA://PASSWORD@blahblah.onion .
> That way it will be possible to use such authenticated TorHS by
> bookmarking an URL in TBB or by copy/pasting it from a password manager.

This assumes you're using a Tor aware browser, or Tor is somehow protocol
aware and MITM for all user protocols (such as TLS non-web) which is impossible.
So this won't work. Any such descriptor authenticating would need done at
the onion 'hostname' level since that's the only non-user-protocol
area available.
ie: authtoken.16char.onion. Or in torrc as is today.

More information about the tor-dev mailing list