> On 30 Dec 2015, at 13:55, Paul Syverson <[email protected]> wrote: > > On Tue, Dec 29, 2015 at 12:27:06PM -0900, Jesse V wrote: >> On 12/29/2015 11:18 AM, Aeris wrote: >>>> A few hidden services have added an >>>> HTTPS cert but I think that's mostly for a publicity stunt than anything >>>> else. >>> >>> As indicated in the roger’s lecture, HTTPS is usefull for HS : >>> - browsers handle more securely cookies or other stuff in HTTPS mode, >>> avoiding some possible leaks >>> - because anybody can create an HS and proxify any content, X.509 certs >>> allow users to verify the authenticity of the HS (you are on the official >>> Facebook HS if you have a cert with facebook.com *AND* >>> facebookcorewwwi.onion >>> inside) >>> >> >> I've downloaded the .webm of Roger's lecture but haven't had the time >> today to listen to it. My point was that HSs already have an >> authentication mechanism and it's assumed that you can verify the >> address through some trusted out-of-band method, so in that case you >> don't need an SSL cert. This can sometimes be superior to trusting the >> centralized CA model, but I agree that the points you've listed are >> useful applications as well. >> > > In case it is helpful. Griffin Boyce and I have a paper forthcoming in > IEEE Security & Privacy Magazine on this topic. The final editorial > changes are not in so it might change a little, but you can find the > hopefully-close-to-final version at > https://github.com/saint/w2sp-2015/blob/master/SP_SPSI-2015-09-0170.R1_Syverson.pdf > > <https://github.com/saint/w2sp-2015/blob/master/SP_SPSI-2015-09-0170.R1_Syverson.pdf> > > It covers > > - How the self-authentication of onionsites that Jesse has been noting > and the SSL certs for registered-domain websites that Benoit asked > about can complement each other in a variety of ways---and not just > for big companies but for individuals, small businesses, local > organizations, clubs, sports teams, etc. > > - The current state of certs for onionsites (EV only), and what > the issues are that stand in the way of DV certs and a proposal > for resolving them. > > - How this can all dovetail nicely with Let's Encrypt (an issuance > and usage design that binds things together nicely so it is hard to > undetectably set up a spoof onionsite of another onionsite > of a registered-domain site, etc. and vice versa) once DV certs > are allowed. > > - A description of using GPG that can be done right now while waiting > for the world to catch up, and an existing example of a site that > does such binding (from a small site operator who found his hosting > provider was blocking access from the Tor network). We just cited > one such example in the paper, but there are of course others, e.g., > https://blog.patternsinthevoid.net/isis.txt > <https://blog.patternsinthevoid.net/isis.txt> > > aloha, > Paul > _______________________________________________ > tor-relays mailing list > [email protected] <mailto:[email protected]> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>
Thanks it's useful :) I am know wondering how i can bruteforce a clear name for my site like facebook but i think it's all good for the rest :) - benoît
_______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
