-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/07/2015 10:16 PM, Seth David Schoen wrote: > MaQ writes: > >> Hello, >> >> I'm curious, I'm developing an app whereas sharing/collaboration >> can be done by localhost through tor and .onion address between >> pairs or multiples. When I use standard http there seems to not >> be any problems connecting different computers, different IPs, >> etc. and interacting, but when attempting to do it under https >> there isn't any connection. Https is definitely functioning with >> original hosts. >> >> My question is, since things are already going through tor with >> .onion connections and things encrypted anyway, is not using ssl >> really presenting any sort of serious compromise on anonymity? >> Wouldn't it be sort of like encrypting the encryption? > > There is an ongoing discussion about how seriously one needs HTTPS > with a .onion address. There is already end-to-end encryption > built into the Tor hidden service design, so communications with > hidden services (even using an unencrypted application-layer > protocol like HTTP) are already encrypted. > > A problem is that the encryption for the current generation of > hidden services is below-par, technically, in comparison to modern > HTTPS in browsers -- it uses less modern cryptographic primitives > and shorter keylengths than would be recommended for HTTPS today. > This will change eventually with future updates to the hidden > service protocol, but right now there would be incremental > cryptographic benefit from connecting to a hidden service via > HTTPS. But the encryption from HTTPS in this case serves the same > purpose as the hidden service encryption, so you're indeed > "encrypting the encryption" when you use it. > > Unfortunately, it's hard to do today because certificate > authorities are reluctant to issue certs for .onion names; the > CA/Browser Forum has allowed them to do so temporarily, but only EV > certificates can be issued, which cost money, take time, and > sacrifice anonymity of the hidden service operator. > > The best-known example of a hidden service that managed to navigate > the process successfully is > > https://facebookcorewwwi.onion/ >
It's theoretically possible to use naming systems like Namecoin to specify TLS fingerprints for connections to Tor hidden services, which would eliminate the need for a CA. I'm hoping to have a proof of concept of such functionality soon. - -Jeremy Rand -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVxakaAAoJEAHN/EbZ1y069k8P/RjJjAyb8MSZS/ubkcF2/xAT PfgNGgw5mXSbMNFJtqKVBUKfapaR9HemGt2MGwDoT2jfxra4AiGRgF5OV16Q6iv1 JC6ueEVi3yRXGKvus+qCZbR8XZqnl3sn1UdDaBoPdQUHJ2Ona+lQSCkfGr4LLh5z 4OzRfad8kMcpOCHaDBdLEWxIKolY2IWuaEQ+3paCOT0yHNt4YEbiut8/ac5FieG0 wiRW5n2a2BzvAj3kqbp0CIsPL4fe9ZaIikArtNg2STnTaa+tXiqMkXUvCldQtKcz FfVxZoZnL4G1b6vEKR/s4cuNLGJnfwQSEoAucwm5ytpX8eWJkXu5rVLZre3RwmXc V4ElDYRoEiJf6ENcOriQsCQrgHi2IMbNMk82CQia2CP/+wqktR7Ssz8cNMEsAo+s 7A/epQLk275Ic7RnPzPJsRPqpgHgkDw9w90/wV/wGs/Md+RN2VI/FbhLDcK4pQVu vKfxEh+zLWZlj2XpVLEljTP5lQAWuwVl6TxvX5osZSxLaxUQy3hXeJTjpkcAPb+L 9W1qNEoXUxZyaWJCsWC2Bs07xWMCGNiPDtClLE21x5wI7579M8O4zNjLdbayuDJ2 h68Ka/Kz3lCqnC9cxNA+n9kvpDuSJ82mzp59d5e5fj+yoHkG7CVFLGjUReyQSvQ2 fCOx6Bh+QrSzgxiDwmM+ =abLM -----END PGP SIGNATURE----- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
