-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 11/17/2014 08:15 PM, Lisa M. Brownlee wrote: > > I am writing to request your intelligence regarding Deep Web > intellectual property due diligence > *** Hi Lisa,
you may want to avoid using the "Deep Web" term. It's not like it means anything but conveys some sort of Deep Water Horizon feeling, or Nemo if you're optimist. > > What, specifically, are the security issues associated with Deep Web > “vanity” addresses (e.g. https://facebookcorewwwi.onion/ - with or > without SSL cert; http://silkroad6ownowfk.onion/welcomeetc.). > *** I think vanity addresses for onion sites, being easier to remember, can be harder to forge. I bet you typed the facebook one from memory. That's a very good point for them, because then facebookcarewwwi.onion might not trick you, if someone has the sheer luck of finding a private key for that one. So that may come as a positive security point. Nevertheless, silkroad* has had more variants, and less memorable than the exceptional facebook one, so unless you're very careful about the original address you've visited, you might be "phished" into visiting a fake onion site. TLS certificates should not be issued to non-DNS entities, such as onion services, because the client may verify the validity of that certificate by contacting one or more external URLs, especially URLs outside of the onion space, and that may lead to a breach of privacy, also because looking up the .onion in the DNS is not supposed to happen. So self-signed certificates add a layer of encryption on top of Tor's, but the recent official grant of a certificate to facebookcorewwwi.onion is actually a mistake, as TLS certificates belong to DNS, while .onion domains are not resolvable by DNS mechanisms. This has been a concern for a while, and some people are working on having this issue recognized by IETF and sanctioned by IANA to instruct ICANN to reserve the .onion pseudo-TLD out of the DNS TLDs. [0] > What types of due diligence data can be found on the Deep Web (please > provide specific .onion URLs) and what service do you use to access it > (e.g. search engine, BrightPlanet, etc.) –> regarding: > *** I cannot answer that question. == hk [0] I-D. "Special-Use Domain Names of Peer-to-Peer Systems", currently expired, latest draft at https://datatracker.ietf.org/doc/draft-grothoff-iesg-special-use-p2p-names/, soon to be updated with new information relevant to the above-mentioned case. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJUaox6XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ3MDM3QTJCNjlFNkMxQzA1NjI4RDUzOEZE OEU3QkQ4MDk0MUM4MjkzAAoJENjnvYCUHIKT8QEP/i/D22vspCD33OjlcbQ0F6il n6RZIj5MFT3lcs0PM991apEb2Yw8GTV6BFEeZpE2/G/3sNrrCW7vvqcVlU0E3iDM DZsyylzdzF+3cq8yT/jLEyrWDJn9MhrxsxGMaXSMHxojPjoc3x4G8NXVmipDA+dp 6IiBIXoGOYUpZuKO62/BQ/ibIzuF2XqA0REPSsJ0BKfLDPsbVIDPS+IKd5JBMXhp EXAn2YF1HRySRmnoKJKYf/15yRGa7tS0PadGlDhKgR4Qh+6s25gT1Q5jB+5dJEUA BMX++xQFN81tyOIsjv7I+NfJKPW88IopOSYM6yzYTf6/s7YHCS5rGG2PbnU9VlyY 6+56KWMFAuBAAGSyhXZTPx0+RsTFKJe+zm+BJIpNd6fqdSFU+gzIwVr7nKUVjl+W 2eE1jl38OMWbCQSN9krqnoDmlXBsHcGX+JkX54jEFl+WqR2+qNypIS694Td+svmQ lEZS2jhqC5njfHI33/ZQ924xs++Y6TFBKYKFXGquoQSZW8C6eNnINftvvXoP/+Wk tMtiVgMpryeHmPj1EkL/3xsyZ1BGuGzdN2KMlAXrPvgfzlHLkuriUj+qQvqkmq// xRVaxBCH3JwURoO/1zkqMxPBlTEO/5JskUsKIi0OSi2Kyi93o0xpF/RSa0A50sFu ixR+ZHlVm3Snw+Q8tKdE =IxZS -----END PGP SIGNATURE----- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
