MaQ writes: > Hello, > > I'm curious, I'm developing an app whereas sharing/collaboration > can be done by localhost through tor and .onion address between pairs or > multiples. When I use standard http there seems to not be any problems > connecting different computers, different IPs, etc. and interacting, but > when attempting to do it under https there isn't any connection. Https > is definitely functioning with original hosts. > > My question is, since things are already going through tor with > .onion connections and things encrypted anyway, is not using ssl really > presenting any sort of serious compromise on anonymity? Wouldn't it be > sort of like encrypting the encryption?
There is an ongoing discussion about how seriously one needs HTTPS with a .onion address. There is already end-to-end encryption built into the Tor hidden service design, so communications with hidden services (even using an unencrypted application-layer protocol like HTTP) are already encrypted. A problem is that the encryption for the current generation of hidden services is below-par, technically, in comparison to modern HTTPS in browsers -- it uses less modern cryptographic primitives and shorter keylengths than would be recommended for HTTPS today. This will change eventually with future updates to the hidden service protocol, but right now there would be incremental cryptographic benefit from connecting to a hidden service via HTTPS. But the encryption from HTTPS in this case serves the same purpose as the hidden service encryption, so you're indeed "encrypting the encryption" when you use it. Unfortunately, it's hard to do today because certificate authorities are reluctant to issue certs for .onion names; the CA/Browser Forum has allowed them to do so temporarily, but only EV certificates can be issued, which cost money, take time, and sacrifice anonymity of the hidden service operator. The best-known example of a hidden service that managed to navigate the process successfully is https://facebookcorewwwi.onion/ -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk