[tor-talk] HTTPS to hidden service unecessary?
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Tue Jul 10 05:59:16 UTC 2012
On 7/9/12 10:49 PM, Juenca R wrote:
>> - You want SSL client authentication
>>
>> - You want to use particular key exchange like TLS SRP
>> https://github.com/trevp/tlslite
>
> these two things are really esoteric arent they? i mean, good technology, but not used very often?
Client side authentication is widely used within e-governmental services
with smartcard. Maybe one day some government will try using Tor HS? :-)
TLS SRP is just relatively new, not "esoteric", and imho it will get a
wider uses, as it's TLS with shared-secret authentication rather than
CA-based authentication.
Especially by thinking about possibly future integration with upcoming
Javascript TLS implementation https://github.com/digitalbazaar/forge .
However if you don't need, just don't care.
>> - You want the client to be able to trust a specific certificate and/or
>> CA that you already trusted over the internet/intranet
>
> good point, although the domain will mis-match so you might still have a problem of user needs to confirm security exception
You can have multiple hostname within the same certificate.
At the same time you may have your own private CA (like most big
enterprises does), trust that and use that for "internet" hostname and
"darknet" hostnames.
-naif
More information about the tor-talk
mailing list