On 12/29/2015 01:16 PM, bernard wrote: > > On 29/12/2015 19:38, Jesse V wrote: >> A few hidden services have added an >> HTTPS cert but I think that's mostly for a publicity stunt than anything >> else. > > (I am not commenting on the technical necessity of a cert.) > > No, I think the point that was made at today's talk (and correct me if I > got it wrong) was that if I am the operator of, for example, > www.bigclearwebwebsite.com (who, by default of big known to the > Internet, I am not worried about the anonymity of my site or those who > operate it). > > I want to create a www.bigclearwebwebsite.onion site (which of course > would be more like www.xhsjeflflajdfyeysksldpfiejcc.onion), I can do > this by getting a HTTPS cert for my .onion address. > > The objective of it (from a users point of view) would be the tieing the > identity of the *clear web* site and the *.onion site* together to give > the user some trust that bigclearwebwebsite.onion is in fact the same as > the .com site. > > > > (Replace bigclearwebwebsite. with DuckDuckGo, Facebook, etc)
True. But I don't see that it helps much for onion sites that aren't tied to well-known clearweb sites. Spoofers could also get HTTPS certs. And users couldn't tell them apart. I've been playing with GnuPG-signed pages, with the public key available from multiple independent sources. But of course, it's a bit much to expect users to verify signatures. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays