Re: [tor-dev] Hidden Service authorization UI

On 09/11/14 12:50, George Kadianakis wrote: > Hidden Service authorization is a pretty obscure feature of HSes, that > can be quite useful for small-to-medium HSes. > > Basically, it allows client access control during the introduction > step. If the client doesn't prove itself, the Hidden Service

Re: [tor-dev] Hidden Service authorization UI

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 09/11/14 12:50, George Kadianakis wrote: > I suspect that HS authorization is very rare in the current > network, and if we believe it's a useful tool, it might be > worthwhile to make it more useable by people. For what it's worth, the reason I

Re: [tor-dev] Hidden Service authorization UI

On Sun, Nov 9, 2014, at 07:50 AM, George Kadianakis wrote: > Hidden Service authorization is a pretty obscure feature of HSes, that > can be quite useful for small-to-medium HSes. ... > For example, it would be interesting if TBB would allow people to > input a password/pubkey upon visiting a prot

Re: [tor-dev] Hidden Service authorization UI

It is verifiable. In authenticated hidden services, the introduction points are first encrypted and then base64 encoded. So a simple test is: When base64 decoded, is the MSB bit set on any bytes ? If yes, then it's probably authenticated, otherwise not. Note, you can use the Tor research framew

Re: [tor-dev] Hidden Service authorization UI

On Sun, Nov 09, 2014 at 09:16:40PM -0500, Griffin Boyce wrote: > On 2014-11-09 15:30, Fabio Pietrosanti - lists wrote: > >On 11/9/14 8:58 PM, Jacob Appelbaum wrote: > >>>For example, it would be interesting if TBB would allow people to > >>>input a password/pubkey upon visiting a protected HS. Prot

Re: [tor-dev] Hidden Service authorization UI

On 2014-11-09 15:30, Fabio Pietrosanti - lists wrote: On 11/9/14 8:58 PM, Jacob Appelbaum wrote: For example, it would be interesting if TBB would allow people to input a password/pubkey upon visiting a protected HS. Protected HSes can be recognized by looking at the "authentication-required" fi

Re: [tor-dev] Hidden Service authorization UI

On Sun, Nov 9, 2014 at 3:30 PM, Fabio Pietrosanti - lists wrote: > On 11/9/14 8:58 PM, Jacob Appelbaum wrote: >>> For example, it would be interesting if TBB would allow people to >>> input a password/pubkey upon visiting a protected HS. Protected HSes >>> can be recognized by looking at the "auth

Re: [tor-dev] Hidden Service authorization UI

On 11/9/14 8:58 PM, Jacob Appelbaum wrote: >> For example, it would be interesting if TBB would allow people to >> input a password/pubkey upon visiting a protected HS. Protected HSes >> can be recognized by looking at the "authentication-required" field of >> the HS descriptor. Typing your passwo

Re: [tor-dev] Hidden Service authorization UI

> In the future "Next Generation Hidden Services" specification there > are again two ways to do authorization: > https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/224-rend-spec-ng.txt#l1446 > One way is with a password and the other is with a public key. A {shared secret,key} and a u

Re: [tor-dev] Hidden Service authorization UI

I'm probably missing significant Tor development history here, but section 5.2 of the tor design paper mentions using the domain format x.y.onion where x is used for authorization and y.onion is used for actual the actual addressing. I'm not

Re: [tor-dev] Hidden Service authorization UI

SecureDrop (and former Firefox) dev here. A few months ago I started working on a patch to support prompting users for an authenticated hidden service cookie in the manner of HTTP Basic Auth. [0] We require journalists who use SecureDrop to download submissions from an authenticated Tor hidden serv

Re: [tor-dev] Hidden Service authorization UI

On Sun, 9 Nov 2014 16:19:24 + Andrea Shepard wrote: > How would Tor Browser learn about this reason for not being able to > connect/ tell Tor the authentication info? This is starting to sound > like wanting SOCKS5 extensions to indicate different causes for > connection failures in #6031 di

Re: [tor-dev] Hidden Service authorization UI

On Sun, Nov 09, 2014 at 12:50:00PM +, George Kadianakis wrote: > I suspect that HS authorization is very rare in the current network, > and if we believe it's a useful tool, it might be worthwhile to make > it more useable by people. Yes, HS authoritzation is rare. It's rare enough that it wa

Re: [tor-dev] Hidden Service authorization UI

On Sun, Nov 09, 2014 at 08:18:40AM -0500, Griffin Boyce wrote: > So most of my work over the next three days is writing and editing > documentation on hidden services. > > I'm in Boston and the purpose of this trip is to rewrite existing > documentation to be more useful, but with authenticated h

Re: [tor-dev] Hidden Service authorization UI

So most of my work over the next three days is writing and editing documentation on hidden services. I'm in Boston and the purpose of this trip is to rewrite existing documentation to be more useful, but with authenticated hidden services, what's available is extremely sparse. GlobaLeaks and S

[tor-dev] Hidden Service authorization UI

Hidden Service authorization is a pretty obscure feature of HSes, that can be quite useful for small-to-medium HSes. Basically, it allows client access control during the introduction step. If the client doesn't prove itself, the Hidden Service will not poroceed to the rendezvous step. This allow