[tor-relays] tor hidden services & SSL EV certificate

Benoit Chesneau benoitc at refuge.io
Thu Dec 31 14:44:04 UTC 2015 

> On 30 Dec 2015, at 13:55, Paul Syverson <paul.syverson at nrl.navy.mil> wrote:
> 
> On Tue, Dec 29, 2015 at 12:27:06PM -0900, Jesse V wrote:
>> On 12/29/2015 11:18 AM, Aeris wrote:
>>>> A few hidden services have added an
>>>> HTTPS cert but I think that's mostly for a publicity stunt than anything
>>>> else.
>>> 
>>> As indicated in the roger’s lecture, HTTPS is usefull for HS :
>>> 	- browsers handle more securely cookies or other stuff in HTTPS mode, 
>>> avoiding some possible leaks
>>> 	- because anybody can create an HS and proxify any content, X.509 certs 
>>> allow users to verify the authenticity of the HS (you are on the official 
>>> Facebook HS if you have a cert with facebook.com *AND* facebookcorewwwi.onion 
>>> inside)
>>> 
>> 
>> I've downloaded the .webm of Roger's lecture but haven't had the time
>> today to listen to it. My point was that HSs already have an
>> authentication mechanism and it's assumed that you can verify the
>> address through some trusted out-of-band method, so in that case you
>> don't need an SSL cert. This can sometimes be superior to trusting the
>> centralized CA model, but I agree that the points you've listed are
>> useful applications as well.
>> 
> 
> In case it is helpful. Griffin Boyce and I have a paper forthcoming in
> IEEE Security & Privacy Magazine on this topic. The final editorial
> changes are not in so it might change a little, but you can find the
> hopefully-close-to-final version at
> https://github.com/saint/w2sp-2015/blob/master/SP_SPSI-2015-09-0170.R1_Syverson.pdf <https://github.com/saint/w2sp-2015/blob/master/SP_SPSI-2015-09-0170.R1_Syverson.pdf>
> 
> It covers
> 
> - How the self-authentication of onionsites that Jesse has been noting
>  and the SSL certs for registered-domain websites that Benoit asked
>  about can complement each other in a variety of ways---and not just
>  for big companies but for individuals, small businesses, local
>  organizations, clubs, sports teams, etc.
> 
> - The current state of certs for onionsites (EV only), and what
>  the issues are that stand in the way of DV certs and a proposal
>  for resolving them.
> 
> - How this can all dovetail nicely with Let's Encrypt (an issuance
>  and usage design that binds things together nicely so it is hard to
>  undetectably set up a spoof onionsite of another onionsite
>  of a registered-domain site, etc. and vice versa) once DV certs
>  are allowed.
> 
> - A description of using GPG that can be done right now while waiting
>  for the world to catch up, and an existing example of a site that
>  does such binding (from a small site operator who found his hosting
>  provider was blocking access from the Tor network). We just cited
>  one such example in the paper, but there are of course others, e.g.,
>  https://blog.patternsinthevoid.net/isis.txt <https://blog.patternsinthevoid.net/isis.txt>
> 
> aloha,
> Paul
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org <mailto:tor-relays at lists.torproject.org>
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>

Thanks it's useful :) I am know wondering how i can bruteforce a clear name for my site like facebook but i think it's all good for the rest :)

- benoît

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20151231/1f72c6fc/attachment-0001.html>

More information about the tor-relays mailing list