Delivery-Date: Sat, 08 Aug 2015 03:01:07 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 61E0A1E0CEB;
	Sat,  8 Aug 2015 03:01:05 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 9363C360F7;
	Sat,  8 Aug 2015 07:00:59 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 50A20360F3
 for <tor-talk@lists.torproject.org>; Sat,  8 Aug 2015 07:00:56 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Q5lVN2OjWOl0 for <tor-talk@lists.torproject.org>;
 Sat,  8 Aug 2015 07:00:56 +0000 (UTC)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com
 [IPv6:2607:f8b0:400d:c09::230])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 2DB92360F2
 for <tor-talk@lists.torproject.org>; Sat,  8 Aug 2015 07:00:53 +0000 (UTC)
Received: by qkbm65 with SMTP id m65so44090412qkb.2
 for <tor-talk@lists.torproject.org>; Sat, 08 Aug 2015 00:00:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=subject:to:references:from:message-id:date:user-agent:mime-version
 :in-reply-to:content-type:content-transfer-encoding;
 bh=zbCuwh0C46NNci1eNDzBZqkOpro620YYP31/FD1Qknw=;
 b=o81ZuxqxAT1sMxdcX/0yJUzc1kc2Ok01ii9ehhZBrvLiYwT7Ed/FPTewIUhYRKFBxy
 elm5GWAFtlWVlT/sL1USDINXUKGH2bXE5oc9K2/9ZNvvu+hL2CU1XRzJnL1hqmRgHFRO
 ih/jF7zBzTUuBpu1pCNQDB+4CKFLBP+165HRmgK4V68YB5Lq+ulDvy2ZhUvzdcxVyrR+
 aL67c9jNtWcf/3nBJxIMXwb0AQiResXlW9OZY/bfIrBO/yXN/5M9LGdR5OUPraAT9L83
 kgqjyhJ67z+sfrloJRbUG9OQP1atmUzAEKgHg8wptqskHMWYtNExNrPuyTTR4vhL6/lA
 I1Ww==
X-Received: by 10.55.15.155 with SMTP id 27mr20279872qkp.25.1439017250890;
 Sat, 08 Aug 2015 00:00:50 -0700 (PDT)
Received: from [10.137.2.45] (cpe-184-153-187-27.maine.res.rr.com.
 [184.153.187.27])
 by smtp.googlemail.com with ESMTPSA id q1sm6258231qkq.33.2015.08.08.00.00.49
 for <tor-talk@lists.torproject.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 08 Aug 2015 00:00:50 -0700 (PDT)
To: tor-talk@lists.torproject.org
References: <55C54AC7.8090709@canaglie.org>
 <20150808031616.GJ9483@mail2.eff.org>
From: Jeremy Rand <biolizard89@gmail.com>
Message-ID: <55C5A91F.3070706@gmail.com>
Date: Sat, 8 Aug 2015 02:00:47 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <20150808031616.GJ9483@mail2.eff.org>
Subject: Re: [tor-talk] General question regarding tor, ssl and .onion.
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/07/2015 10:16 PM, Seth David Schoen wrote:
> MaQ writes:
> 
>> Hello,
>> 
>> I'm curious, I'm developing an app whereas sharing/collaboration 
>> can be done by localhost through tor and .onion address between
>> pairs or multiples. When I use standard http there seems to not
>> be any problems connecting different computers, different IPs,
>> etc. and interacting, but when attempting to do it under https
>> there isn't any connection. Https is definitely functioning with
>> original hosts.
>> 
>> My question is, since things are already going through tor with 
>> .onion connections and things encrypted anyway, is not using ssl
>> really presenting any sort of serious compromise on anonymity?
>> Wouldn't it be sort of like encrypting the encryption?
> 
> There is an ongoing discussion about how seriously one needs HTTPS
> with a .onion address.  There is already end-to-end encryption
> built into the Tor hidden service design, so communications with
> hidden services (even using an unencrypted application-layer
> protocol like HTTP) are already encrypted.
> 
> A problem is that the encryption for the current generation of
> hidden services is below-par, technically, in comparison to modern
> HTTPS in browsers -- it uses less modern cryptographic primitives
> and shorter keylengths than would be recommended for HTTPS today.
> This will change eventually with future updates to the hidden
> service protocol, but right now there would be incremental
> cryptographic benefit from connecting to a hidden service via
> HTTPS.  But the encryption from HTTPS in this case serves the same
> purpose as the hidden service encryption, so you're indeed 
> "encrypting the encryption" when you use it.
> 
> Unfortunately, it's hard to do today because certificate
> authorities are reluctant to issue certs for .onion names; the
> CA/Browser Forum has allowed them to do so temporarily, but only EV
> certificates can be issued, which cost money, take time, and
> sacrifice anonymity of the hidden service operator.
> 
> The best-known example of a hidden service that managed to navigate
> the process successfully is
> 
> https://facebookcorewwwi.onion/
> 

It's theoretically possible to use naming systems like Namecoin to
specify TLS fingerprints for connections to Tor hidden services, which
would eliminate the need for a CA.  I'm hoping to have a proof of
concept of such functionality soon.

- -Jeremy Rand
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVxakaAAoJEAHN/EbZ1y069k8P/RjJjAyb8MSZS/ubkcF2/xAT
PfgNGgw5mXSbMNFJtqKVBUKfapaR9HemGt2MGwDoT2jfxra4AiGRgF5OV16Q6iv1
JC6ueEVi3yRXGKvus+qCZbR8XZqnl3sn1UdDaBoPdQUHJ2Ona+lQSCkfGr4LLh5z
4OzRfad8kMcpOCHaDBdLEWxIKolY2IWuaEQ+3paCOT0yHNt4YEbiut8/ac5FieG0
wiRW5n2a2BzvAj3kqbp0CIsPL4fe9ZaIikArtNg2STnTaa+tXiqMkXUvCldQtKcz
FfVxZoZnL4G1b6vEKR/s4cuNLGJnfwQSEoAucwm5ytpX8eWJkXu5rVLZre3RwmXc
V4ElDYRoEiJf6ENcOriQsCQrgHi2IMbNMk82CQia2CP/+wqktR7Ssz8cNMEsAo+s
7A/epQLk275Ic7RnPzPJsRPqpgHgkDw9w90/wV/wGs/Md+RN2VI/FbhLDcK4pQVu
vKfxEh+zLWZlj2XpVLEljTP5lQAWuwVl6TxvX5osZSxLaxUQy3hXeJTjpkcAPb+L
9W1qNEoXUxZyaWJCsWC2Bs07xWMCGNiPDtClLE21x5wI7579M8O4zNjLdbayuDJ2
h68Ka/Kz3lCqnC9cxNA+n9kvpDuSJ82mzp59d5e5fj+yoHkG7CVFLGjUReyQSvQ2
fCOx6Bh+QrSzgxiDwmM+
=abLM
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

