[tor-talk] Tor hidden services and SSL certificates
Mike Cardwell
tor at lists.grepular.com
Tue Oct 11 13:20:29 UTC 2011
On 11/10/11 14:05, alex mayer wrote:
> I'm working on a project that involves a secure installation of a
> web blog and a Jabber messenger service through Tor Hidden services.
>
> I'm aware of SSL man in the middle attacks by rogue tor relay servers,
> how to protect login credential of the administrators and users while
> accessing the services? which is correct mitigation approach?
>
> No SSL enabled?
>
> Self generated SSL certificates?
>
> Other form of confidentiality and integrity protection?
Hidden services are already encrypted end to end. They don't have the
MITM problems that using Tor to access Internet services has; there are
no Exit Nodes are involved. So there's no real point in adding a layer
of SSL on top.
--
Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20111011/f336919e/attachment.pgp>
More information about the tor-talk
mailing list