Delivery-Date: Fri, 07 Aug 2015 23:16:29 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 54DF11E0BE1;
	Fri,  7 Aug 2015 23:16:27 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id C9E0935DF2;
	Sat,  8 Aug 2015 03:16:21 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id CA07635DEE
 for <tor-talk@lists.torproject.org>; Sat,  8 Aug 2015 03:16:18 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id WDRrF_HRuRjj for <tor-talk@lists.torproject.org>;
 Sat,  8 Aug 2015 03:16:18 +0000 (UTC)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id A944335DE6
 for <tor-talk@lists.torproject.org>; Sat,  8 Aug 2015 03:16:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org;
 s=mail2; 
 h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date;
 bh=+ruu/rxMVsaKN8VTATqfi9ne9x4KnImRjRK6GvnbBks=; 
 b=MudiD75AX+ZlMid6YdNWwCBNlgw1eRihx27xNfOpn19B6PCyGGGZt0Wu/bvJD1j6v9RUSkRgXvpdaKDFklbMPWl58cgJojJubJZfXtJHEmTI4SxaUryvTT9iYO7UwzTEYhDwUk2v5FCPeeUR3cWpPKbzMIhxp1Prog2Mk4ko32k=;
Received: ; Fri, 07 Aug 2015 20:16:16 -0700
Date: Fri, 7 Aug 2015 20:16:16 -0700
From: Seth David Schoen <schoen@eff.org>
To: tor-talk@lists.torproject.org
Message-ID: <20150808031616.GJ9483@mail2.eff.org>
References: <55C54AC7.8090709@canaglie.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <55C54AC7.8090709@canaglie.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [tor-talk] General question regarding tor, ssl and .onion.
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

MaQ writes:

> Hello,
> 
>      I'm curious, I'm developing an app whereas sharing/collaboration
> can be done by localhost through tor and .onion address between pairs or
> multiples. When I use standard http there seems to not be any problems
> connecting different computers, different IPs, etc. and interacting, but
> when attempting to do it under https there isn't any connection. Https
> is definitely functioning with original hosts.
> 
>      My question is, since things are already going through tor with
> .onion connections and things encrypted anyway, is not using ssl really
> presenting any sort of serious compromise on anonymity? Wouldn't it be
> sort of like encrypting the encryption?

There is an ongoing discussion about how seriously one needs HTTPS with
a .onion address.  There is already end-to-end encryption built into the
Tor hidden service design, so communications with hidden services (even
using an unencrypted application-layer protocol like HTTP) are already
encrypted.

A problem is that the encryption for the current generation of hidden
services is below-par, technically, in comparison to modern HTTPS in
browsers -- it uses less modern cryptographic primitives and shorter
keylengths than would be recommended for HTTPS today.  This will change
eventually with future updates to the hidden service protocol, but right
now there would be incremental cryptographic benefit from connecting to
a hidden service via HTTPS.  But the encryption from HTTPS in this case
serves the same purpose as the hidden service encryption, so you're indeed
"encrypting the encryption" when you use it.

Unfortunately, it's hard to do today because certificate authorities
are reluctant to issue certs for .onion names; the CA/Browser Forum
has allowed them to do so temporarily, but only EV certificates can
be issued, which cost money, take time, and sacrifice anonymity of the
hidden service operator.

The best-known example of a hidden service that managed to navigate the
process successfully is

https://facebookcorewwwi.onion/

-- 
Seth Schoen  <schoen@eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

