Hi Ben, On Sun, May 17, 2015 at 11:26:41AM -0000, Ben wrote: > Hi all, > > I've got a (www) site that I'm debating making available as a Hidden > Service, and I was wondering what peoples thinking on doing this was > nowadays. >
I'm presenting a short paper I wrote with Griffin Boyce "Genuine onion: Simple, Fast, Flexible, and Cheap Website Authentication" on almost exactly this topic at the IEEE Workshop on Web 2.0 Security & Privacy on Thursday. You can get it at http://www.nrl.navy.mil/itd/chacs/syverson-genuine-onion-simple-fast-flexible-and-cheap-website-authentication or get both the paper and slides from http://ieee-security.org/TC/SPW2015/W2SP/ The basic idea is to use onion services for better authentication. Partly perhaps because of our unfortunate original choice of terminology (Hidden Service) we haven't as much emphasized the self-authenticating property of these services as the hiding. We treat hiding in this work as basically an orthogonal issue, although we do discuss some advantage in that respect as well. TLS Certs are problematic for various reasons and for onion addresses are currently only available for extended validation, which is a nonstarter for most people. The binding for the two sites (which may or may not be two paths to the same web server) we suggest is GPG signatures on both addresses posted on both sites. This can be easily used right now w/ existing tools, which is great but obviously is highly manual. So "easily" is in the eye of the beholder. We discuss use cases, protections, efficiencies, and conveniences provided. Also complementarity to TLS, automation, and the potential for integration with existing tools such as Convergence and Monkeysphere. Also, integration with the ahmia onion service search engine. aloha, Paul -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
