Delivery-Date: Tue, 26 Jan 2016 14:05:30 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD,URIBL_DBL_SPAM autolearn=no version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 8964D1E04AE;
	Tue, 26 Jan 2016 14:05:08 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 34F6938DCA;
	Tue, 26 Jan 2016 19:05:01 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id CCD5C38DCA
 for <tor-talk@lists.torproject.org>; Tue, 26 Jan 2016 19:04:57 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id eCVDsdoiuwhQ for <tor-talk@lists.torproject.org>;
 Tue, 26 Jan 2016 19:04:57 +0000 (UTC)
Received: from ccs.nrl.navy.mil (mx0.ccs.nrl.navy.mil
 [IPv6:2001:480:20:118:118::211])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id A55A038DC8
 for <tor-talk@lists.torproject.org>; Tue, 26 Jan 2016 19:04:57 +0000 (UTC)
Received: from vpn212046.nrl.navy.mil (vpn212046.nrl.navy.mil [132.250.212.46])
 by ccs.nrl.navy.mil (8.14.4/8.14.4) with ESMTP id u0QJ4sYp015023
 (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
 for <tor-talk@lists.torproject.org>; Tue, 26 Jan 2016 14:04:55 -0500
Date: Tue, 26 Jan 2016 14:04:54 -0500
From: Paul Syverson <paul.syverson@nrl.navy.mil>
To: tor-talk@lists.torproject.org
Message-ID: <20160126190454.GA1422@vpn212046.nrl.navy.mil>
References: <K8zCB59--3-0@tutanota.com>
 <CAG_xf59tGGQgLdH17gff7M8oYU96viXCWMgnnponfrNYr8dqJg@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAG_xf59tGGQgLdH17gff7M8oYU96viXCWMgnnponfrNYr8dqJg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-CCS-MailScanner: No viruses found.
X-CCS-MailScanner-Info: See: http://www.nrl.navy.mil/ccs/support/email
Subject: Re: [tor-talk] onion routing MITM
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

This is false. 

First of all '.onion' is an officially recognized reserved top level
domain according to IETF RFC 7686.

Second, a CA _will_ validate a .onion address, but only to provide an
EV (extended validation) Cert. EV Certs are typically only
had by big companies etc. Typical browsers represent an EV cert by
showing the lock icon in green. Facebook and a couple of other entities
do have certs for their .onion addresses. Most .onion site operators are
likely to want DV (domain validation) certs, which are currently not
permitted under the guidelines of the CA/Browser Forum.

That is the current state of things, which is different from how things
were several months ago and will probably change again at some point.

aloha,
Paul

On Tue, Jan 26, 2016 at 06:37:24PM +0000, a55deaba@opayq.com wrote:
> A CA will not validate a '.onion' address since it's not an official TLD
> approved by ICANN. The numbers aren't random. From Wikipedia:
> 
> "16-character alpha-semi-numeric hashes which are automatically generated
> based on a public key <https://en.wikipedia.org/wiki/Public_key> when a hidden
> service
> <https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Hidden_services> is
> configured. These 16-character hashes can be made up of any letter of the
> alphabet, and decimal digits from 2 to 7, thus representing an 80-bit
> number in base32 <https://en.wikipedia.org/wiki/Base32>. It is possible to
> set up a human-readable .onion URL (e.g. starting with an organization
> name) by generating massive numbers of key pairs
> <https://en.wikipedia.org/wiki/Public-key_cryptography> (a computational
> process that can be parallelized
> <https://en.wikipedia.org/wiki/Parallelized>) until a sufficiently
> desirable URL is found."[2]
> <https://en.wikipedia.org/wiki/.onion#cite_note-scallion-2>[3]
> <https://en.wikipedia.org/wiki/.onion#cite_note-facebook_url-3>"
> 
> Cheers,
> yodablue
> 
> On Tue, Jan 26, 2016 at 1:32 PM lists.torproject.org [Masked]
> <FWD-737QLY3MGNAYSQFGAHIDLIAC2AJOAZ4BKBNCRYADXAICEWBKGA4GYNTQE4MCKZVAFMRQA3BHMAEPUEBAAAQA====@
> opayq.com> wrote:
> 
> >
> > --------------------------Blur (formerly
> > DoNotTrackMe)---------------------------
> > 
> > -------------------------By Abine--------------------------
> >
> >
> > I'm new to tor, trying to understand some stuff.
> >
> > I understand the .onion TLD is not an officially recognized TLD, so it's
> > not
> > resolved by normal DNS servers. The FAQ seems to say that tor itself
> > resolves
> > these, not to an IP address, but to a hidden site somehow.
> >
> > When I look at thehiddenwiki.org, I see a bunch of .onion sites, with
> > random
> > looking names. Why is this? What if someone at thehiddenwiki.org
> > registered a
> > new .onion site (for example http://somerandomletters.onion), which then
> > relayed traffic to duck-duck-go (http://3g2upl4pq6kufc4m.onion)?
> > Thehiddenwiki could give me the link http://somerandomletters.org, and of
> > course I would never know the difference between that and
> > http://3g2upl4pq6kufc4m.onion
> >
> > Without trusting a CA to validate a site name, what prevents MITM attacks?
> > Am
> > I supposed to get the duckduckgo URL from a trusted friend of mine, and
> > then
> > always keep it?
> > --
> > tor-talk mailing list - tor-talk@lists.torproject.org
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> >
> >
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

