[tor-talk] Giving Hidden Services some love

[Matthew Puckey]

On Fri, 02 Jan 2015 18:06:53 -0800
"Jesse B. Crawford" <jesse at jbcrawford.us> wrote:

> [..]
> 
> Facebook having a signed SSL certificate for their hidden service
> reliably anchors it to their corporate identity, preventing phishing
> attacks and giving users confidence.

True. It seems /most/ of the conversation for encouraging CA use, is
giving user confidence by having "https" there; which /maybe/ could be
achieved by other means (my previous email RE Tor's blog post). While,
the idea within the Tor blog post is only theory right now (I guess?),
we should be looking at alternatives. I believe a network that
encourages the use of decentralized systems encouraging the use of a
fairly centralized CA system is a mistake; especially when there is
some rough ideas to look into.
> 
> [..]
> 
> Obviously this identity authentication is completely irrelevant when
> the hidden site operator intends to remain anonymous, but some hidden
> site operators, like Facebook, do not. They benefit from the strong
> authentication that SSL provides and Tor's built-in encryption does
> not.

In what way does Tor not currently provide 'strong' authentication?
Sorry, I might have misunderstood you.

> 
> (Well, Tor's built-in encryption does provide reliable tying of a
> hidden service to its address - but so does DNS in most practical
> situations, the whole problem is that users do not check that the
> hostname/hidden service key is exactly correct but will hopefully
> respond better to their browser's SSL indicator)

Not sure I would use DNS as an example of reliable authentication. As
above though, do you think current or future users would be checking
who issed the certificate? I don't think the typical user would. In
that scenerio, I would hope the difficulty in creating a too similar
hidden service address would create enough difference for users to
notice; though I might well be wrong here. But I see your point. :)

-- 
Matthew Puckey