[tor-talk] General question regarding tor, ssl and .onion.

Jeremy Rand biolizard89 at gmail.com
Sat Aug 8 07:00:47 UTC 2015

Hash: SHA256

On 08/07/2015 10:16 PM, Seth David Schoen wrote:
> MaQ writes:
>> Hello,
>> I'm curious, I'm developing an app whereas sharing/collaboration 
>> can be done by localhost through tor and .onion address between
>> pairs or multiples. When I use standard http there seems to not
>> be any problems connecting different computers, different IPs,
>> etc. and interacting, but when attempting to do it under https
>> there isn't any connection. Https is definitely functioning with
>> original hosts.
>> My question is, since things are already going through tor with 
>> .onion connections and things encrypted anyway, is not using ssl
>> really presenting any sort of serious compromise on anonymity?
>> Wouldn't it be sort of like encrypting the encryption?
> There is an ongoing discussion about how seriously one needs HTTPS
> with a .onion address.  There is already end-to-end encryption
> built into the Tor hidden service design, so communications with
> hidden services (even using an unencrypted application-layer
> protocol like HTTP) are already encrypted.
> A problem is that the encryption for the current generation of
> hidden services is below-par, technically, in comparison to modern
> HTTPS in browsers -- it uses less modern cryptographic primitives
> and shorter keylengths than would be recommended for HTTPS today.
> This will change eventually with future updates to the hidden
> service protocol, but right now there would be incremental
> cryptographic benefit from connecting to a hidden service via
> HTTPS.  But the encryption from HTTPS in this case serves the same
> purpose as the hidden service encryption, so you're indeed 
> "encrypting the encryption" when you use it.
> Unfortunately, it's hard to do today because certificate
> authorities are reluctant to issue certs for .onion names; the
> CA/Browser Forum has allowed them to do so temporarily, but only EV
> certificates can be issued, which cost money, take time, and
> sacrifice anonymity of the hidden service operator.
> The best-known example of a hidden service that managed to navigate
> the process successfully is
> https://facebookcorewwwi.onion/

It's theoretically possible to use naming systems like Namecoin to
specify TLS fingerprints for connections to Tor hidden services, which
would eliminate the need for a CA.  I'm hoping to have a proof of
concept of such functionality soon.

- -Jeremy Rand
Version: GnuPG v2


More information about the tor-talk mailing list