[tor-talk] General question regarding tor, ssl and .onion.

Jeremy Rand biolizard89 at gmail.com
Sat Aug 8 07:00:47 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/07/2015 10:16 PM, Seth David Schoen wrote:
> MaQ writes:
> 
>> Hello,
>> 
>> I'm curious, I'm developing an app whereas sharing/collaboration 
>> can be done by localhost through tor and .onion address between
>> pairs or multiples. When I use standard http there seems to not
>> be any problems connecting different computers, different IPs,
>> etc. and interacting, but when attempting to do it under https
>> there isn't any connection. Https is definitely functioning with
>> original hosts.
>> 
>> My question is, since things are already going through tor with 
>> .onion connections and things encrypted anyway, is not using ssl
>> really presenting any sort of serious compromise on anonymity?
>> Wouldn't it be sort of like encrypting the encryption?
> 
> There is an ongoing discussion about how seriously one needs HTTPS
> with a .onion address.  There is already end-to-end encryption
> built into the Tor hidden service design, so communications with
> hidden services (even using an unencrypted application-layer
> protocol like HTTP) are already encrypted.
> 
> A problem is that the encryption for the current generation of
> hidden services is below-par, technically, in comparison to modern
> HTTPS in browsers -- it uses less modern cryptographic primitives
> and shorter keylengths than would be recommended for HTTPS today.
> This will change eventually with future updates to the hidden
> service protocol, but right now there would be incremental
> cryptographic benefit from connecting to a hidden service via
> HTTPS.  But the encryption from HTTPS in this case serves the same
> purpose as the hidden service encryption, so you're indeed 
> "encrypting the encryption" when you use it.
> 
> Unfortunately, it's hard to do today because certificate
> authorities are reluctant to issue certs for .onion names; the
> CA/Browser Forum has allowed them to do so temporarily, but only EV
> certificates can be issued, which cost money, take time, and
> sacrifice anonymity of the hidden service operator.
> 
> The best-known example of a hidden service that managed to navigate
> the process successfully is
> 
> https://facebookcorewwwi.onion/
> 

It's theoretically possible to use naming systems like Namecoin to
specify TLS fingerprints for connections to Tor hidden services, which
would eliminate the need for a CA.  I'm hoping to have a proof of
concept of such functionality soon.

- -Jeremy Rand
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVxakaAAoJEAHN/EbZ1y069k8P/RjJjAyb8MSZS/ubkcF2/xAT
PfgNGgw5mXSbMNFJtqKVBUKfapaR9HemGt2MGwDoT2jfxra4AiGRgF5OV16Q6iv1
JC6ueEVi3yRXGKvus+qCZbR8XZqnl3sn1UdDaBoPdQUHJ2Ona+lQSCkfGr4LLh5z
4OzRfad8kMcpOCHaDBdLEWxIKolY2IWuaEQ+3paCOT0yHNt4YEbiut8/ac5FieG0
wiRW5n2a2BzvAj3kqbp0CIsPL4fe9ZaIikArtNg2STnTaa+tXiqMkXUvCldQtKcz
FfVxZoZnL4G1b6vEKR/s4cuNLGJnfwQSEoAucwm5ytpX8eWJkXu5rVLZre3RwmXc
V4ElDYRoEiJf6ENcOriQsCQrgHi2IMbNMk82CQia2CP/+wqktR7Ssz8cNMEsAo+s
7A/epQLk275Ic7RnPzPJsRPqpgHgkDw9w90/wV/wGs/Md+RN2VI/FbhLDcK4pQVu
vKfxEh+zLWZlj2XpVLEljTP5lQAWuwVl6TxvX5osZSxLaxUQy3hXeJTjpkcAPb+L
9W1qNEoXUxZyaWJCsWC2Bs07xWMCGNiPDtClLE21x5wI7579M8O4zNjLdbayuDJ2
h68Ka/Kz3lCqnC9cxNA+n9kvpDuSJ82mzp59d5e5fj+yoHkG7CVFLGjUReyQSvQ2
fCOx6Bh+QrSzgxiDwmM+
=abLM
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list