[tor-talk] trusting .onion services
Lara
lara.tor at emails.veryspeedy.net
Sun Jan 17 14:17:02 UTC 2016
Rejo Zenger:
> - How can a user reliably determine some .onion address actually
> belongs to intended owner?
The user can call the admin and ask the admin to read aloud the key
fingerprint.
> - How is the provider of .onion service supposed to deal with a lost or
> compromised private key, especially from the point of view from the
> user of this service? How does the user know a .onion-address has
> it's key revoke?
Use any form of reliable communication to communicate the old key is
unreliable. I am not aware of a revoke system.
> By relying on
> the certificate signed by a trusted CA, the user can be sure the site he
> is connecting to is actually belongs to a particular entity. With a
> .onion address that is no longer needed since those address are
> self-authenticating. Sounds good.
No. Through hacking or criminal intent the CAs are known to generate
fake keys that are certificated too. This is why there is a SSL Observatory.
With any certificate you get that. Not only ,onion addresses. And there
are quite a few sites in clearnet with self-signed certificates.
> As far as I can tell, Facebook has two solutions to this: it
> mentions the correct address in presentations, blogs and press coverage
> wherever it can and its TLS-certificate mentions both the .onion address
> as well as it's regular address (as Subject Alt Names).
This is why there might be any number of Fakebook.com, Faeebook.com,
Facebook.net. The big players buy a lot of these domains and use the
muscle to remove the others. But that is not for everybody.
Cheers
More information about the tor-talk
mailing list