[tor-talk] Giving Hidden Services some love
Jesse B. Crawford
jesse at jbcrawford.us
Sun Jan 4 21:31:17 UTC 2015
On 2015-01-04 02:37, Peter Tonoli wrote:
> EV certificates don't fix any problem. The validation of a 'legal
> entity' is purely due to an agreed policy. A rogue, compromised, or
> alternate CA could release certificates with EV fields that don't
> 'rigorously' validate the organisation that applies for the certificate.
I am assuming here that users trust CAs - I think a fair assumption for
practical purposes since this is the foundation of the current
open-internet system. Fixing the problem in a general way is a much more
ambitious goal than just extending this assurance to Tor.
> Which contradicts with the point of hidden services in the first place,
> that neither party knows the others identity [1].
>
> [1] https://www.torproject.org/docs/hidden-services.html.en
Yet organizations like Facebook, DuckDuckGo, and others that do not
intend to remain anonymous operate hidden services. Clearly there are
use cases where anonymity is not a requirement and is even undesirable.
These are probably a minority I agree, making this a small issue in the
grand scheme of things. Just one I thought worth explaining since SSL
came up.
jc
--
Jesse B. Crawford
Student, Information Technology
New Mexico Inst. of Mining & Technology
https://jbcrawford.us // jesse at jbcrawford.us
https://cs.nmt.edu/~jcrawford // jcrawford at cs.nmt.edu
More information about the tor-talk
mailing list