[tor-talk] Tor and Google error / CAPTCHAs.

Alec Muffett alec.muffett at gmail.com
Tue Oct 4 07:01:09 UTC 2016

On 4 October 2016 at 01:51, Jeremy Rand <jeremyrand at airmail.cc> wrote:

> Alec Muffett:
> I'm curious what the advantage is in this respect of .onion compared to
> using TLS with manual fingerprint verification.

I like to look at Onions from the perspective of a network engineer:

- it's a lightweight near-equivalent (and in no way as powerful as, but
hey, it's an 80% solution which requires zero setup) to Layer-2 / IPsec

- this means it operates and is available at the "Link Layer" and is
inherited by any protocol which uses it, including plaintext HTTP,
plaintext Telnet, etc

- In IPsec AH means "Authentication Header", extra metadata that IPsec
sends, using certs and keys and shit, to guarantee that you are talking to
the machine that you asked for

- In Onion, if you can type in the address and get connected, you are
talking to the machine that you asked for

- In IPsec, ESP means "Encapsulating Security Payload", extra metadata on
the packet which stops people tampering with, or reading the packet

- In Onion, all that shit comes pre-packaged from Tor, with zero user setup.

- Onion also routes around blocks

So my position is that Onion routing is "cheap-ass IPsec, without all the
configuration BS, and *yay* with E2E/disintermediation".

That is _really_ cool; at a stroke you selectively pypass a bunch of
internet balkanization technologies and reconnect people like it's 1990 all
over again.

I'm old enough to remember when `finger username at host.subdomain.tld`
actually worked and was useful; there's a lot you can build with that kind
of connectivity.

> My best guess is that .onion has better usability today with current
> tools.

That's also nice.

> But it seems to me that it wouldn't be incredibly hard to
> produce a SOCKS proxy to support a ".tlsexplicit" TLD where the SOCKS
> proxy drops the connection to "www.google.com.<fingerprint>.tlsexplicit"
> if the server doesn't present a TLS cert that matches <fingerprint>.

Could do that, but then you'd just be reinventing IPsec-like features at
layer 4, rather than at pseudo-layer-2.

I shall elide your other question, because - as should be obvious by now -
I rate Onions highly for qualities  other than the "anonymity" and
"location hiding" - which are obviously very important to other people.

    - alec


More information about the tor-talk mailing list