[tor-talk] onion routing MITM

Paul Syverson paul.syverson at nrl.navy.mil
Tue Jan 26 19:04:54 UTC 2016


This is false. 

First of all '.onion' is an officially recognized reserved top level
domain according to IETF RFC 7686.

Second, a CA _will_ validate a .onion address, but only to provide an
EV (extended validation) Cert. EV Certs are typically only
had by big companies etc. Typical browsers represent an EV cert by
showing the lock icon in green. Facebook and a couple of other entities
do have certs for their .onion addresses. Most .onion site operators are
likely to want DV (domain validation) certs, which are currently not
permitted under the guidelines of the CA/Browser Forum.

That is the current state of things, which is different from how things
were several months ago and will probably change again at some point.

aloha,
Paul

On Tue, Jan 26, 2016 at 06:37:24PM +0000, a55deaba at opayq.com wrote:
> A CA will not validate a '.onion' address since it's not an official TLD
> approved by ICANN. The numbers aren't random. From Wikipedia:
> 
> "16-character alpha-semi-numeric hashes which are automatically generated
> based on a public key <https://en.wikipedia.org/wiki/Public_key> when a hidden
> service
> <https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Hidden_services> is
> configured. These 16-character hashes can be made up of any letter of the
> alphabet, and decimal digits from 2 to 7, thus representing an 80-bit
> number in base32 <https://en.wikipedia.org/wiki/Base32>. It is possible to
> set up a human-readable .onion URL (e.g. starting with an organization
> name) by generating massive numbers of key pairs
> <https://en.wikipedia.org/wiki/Public-key_cryptography> (a computational
> process that can be parallelized
> <https://en.wikipedia.org/wiki/Parallelized>) until a sufficiently
> desirable URL is found."[2]
> <https://en.wikipedia.org/wiki/.onion#cite_note-scallion-2>[3]
> <https://en.wikipedia.org/wiki/.onion#cite_note-facebook_url-3>"
> 
> Cheers,
> yodablue
> 
> On Tue, Jan 26, 2016 at 1:32 PM lists.torproject.org [Masked]
> <FWD-737QLY3MGNAYSQFGAHIDLIAC2AJOAZ4BKBNCRYADXAICEWBKGA4GYNTQE4MCKZVAFMRQA3BHMAEPUEBAAAQA====@
> opayq.com> wrote:
> 
> >
> > --------------------------Blur (formerly
> > DoNotTrackMe)---------------------------
> > 
> > -------------------------By Abine--------------------------
> >
> >
> > I'm new to tor, trying to understand some stuff.
> >
> > I understand the .onion TLD is not an officially recognized TLD, so it's
> > not
> > resolved by normal DNS servers. The FAQ seems to say that tor itself
> > resolves
> > these, not to an IP address, but to a hidden site somehow.
> >
> > When I look at thehiddenwiki.org, I see a bunch of .onion sites, with
> > random
> > looking names. Why is this? What if someone at thehiddenwiki.org
> > registered a
> > new .onion site (for example http://somerandomletters.onion), which then
> > relayed traffic to duck-duck-go (http://3g2upl4pq6kufc4m.onion)?
> > Thehiddenwiki could give me the link http://somerandomletters.org, and of
> > course I would never know the difference between that and
> > http://3g2upl4pq6kufc4m.onion
> >
> > Without trusting a CA to validate a site name, what prevents MITM attacks?
> > Am
> > I supposed to get the duckduckgo URL from a trusted friend of mine, and
> > then
> > always keep it?
> > --
> > tor-talk mailing list - tor-talk at lists.torproject.org
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> >
> >
> -- 
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


More information about the tor-talk mailing list