On 10/25/2016 04:57 AM, arrase wrote: > I would like to explain this more in deep from the point of view of the > final user, the one who wants to know about the identity behind a mirror of > a service. > > The client has an extension installed in the browser. > The client go into a domain for first time > The client decided than that service is good for him and he would like to > know in the future if a mirror of the service is from the same author > The extension notes the client about that site is running hidden service > verification > The client accepts the data offered from the service to identify mirrors in > the future , just clicking on extension icon > Next time the client go into a service who claims to be a mirror of the > original one the extension uses the stored info to advice the client if is > realy true or if it is scam
That makes sense. Some onions post GnuPG keys. But verification is generally a manual process. > 2016-10-25 1:58 GMT+02:00 arrase <[email protected]>: > >> Hi list, >> >> This is my first post >> >> What do you think about that?, can be good or is a waste of time? >> >> "" >> - The problem: >> >> Many sites at TOR network have multiple mirrors for support their user >> load. >> >> When connecting to one of these mirror sites we can have the following >> question: >> >> Is this the right place or is a service impersonation? >> >> - My proposal: >> >> The client who wants to verify if a service is fake or real can download >> the PGP key of the service and send a challenge to a port of the service. >> >> The challenge is a simple string defined by the client and the server must >> respond with the same string with a valid GPG signature to identify himself >> >> "" >> Some code (work in progress): >> >> https://github.com/arrase/TOR-Hidden-Service-Verification >> -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
