Delivery-Date: Tue, 26 Jan 2016 14:15:22 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD,URIBL_DBL_SPAM autolearn=no version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 71FDE1E04CA;
	Tue, 26 Jan 2016 14:15:01 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 77F1638DB4;
	Tue, 26 Jan 2016 19:14:56 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id A0EE038DAE
 for <tor-talk@lists.torproject.org>; Tue, 26 Jan 2016 19:14:53 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id l17CCBUK5Elq for <tor-talk@lists.torproject.org>;
 Tue, 26 Jan 2016 19:14:53 +0000 (UTC)
Received: from ccs.nrl.navy.mil (mx0.ccs.nrl.navy.mil
 [IPv6:2001:480:20:118:118::211])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 81CF138D1A
 for <tor-talk@lists.torproject.org>; Tue, 26 Jan 2016 19:14:53 +0000 (UTC)
Received: from vpn212046.nrl.navy.mil (vpn212046.nrl.navy.mil [132.250.212.46])
 by ccs.nrl.navy.mil (8.14.4/8.14.4) with ESMTP id u0QJEnls020766
 (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
 for <tor-talk@lists.torproject.org>; Tue, 26 Jan 2016 14:14:50 -0500
Date: Tue, 26 Jan 2016 14:14:49 -0500
From: Paul Syverson <paul.syverson@nrl.navy.mil>
To: tor-talk@lists.torproject.org
Message-ID: <20160126191449.GB1422@vpn212046.nrl.navy.mil>
References: <K8zCB59--3-0@tutanota.com>
 <CAG_xf59tGGQgLdH17gff7M8oYU96viXCWMgnnponfrNYr8dqJg@mail.gmail.com>
 <20160126190454.GA1422@vpn212046.nrl.navy.mil>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20160126190454.GA1422@vpn212046.nrl.navy.mil>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-CCS-MailScanner: No viruses found.
X-CCS-MailScanner-Info: See: http://www.nrl.navy.mil/ccs/support/email
Subject: Re: [tor-talk] onion routing MITM
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Probably should also have noted wrt the original question
that for people who use PGP/GPG there are things that can be done
now and onionsites that do make use of that. Cf.

See
"Bake in .onion for Tear-free and Stronger Website Authentication"
https://github.com/saint/w2sp-2015/blob/master/SP_SPSI-2015-09-0170.R1_Syverson.pdf
for a description of both how people are using GPG now, and for
the situation and plans for certs in the future.

See also Juha Nurmi's related post to this list about booby trapped
onion sites.

aloha,
Paul


On Tue, Jan 26, 2016 at 02:04:54PM -0500, Paul Syverson wrote:
> This is false. 
> 
> First of all '.onion' is an officially recognized reserved top level
> domain according to IETF RFC 7686.
> 
> Second, a CA _will_ validate a .onion address, but only to provide an
> EV (extended validation) Cert. EV Certs are typically only
> had by big companies etc. Typical browsers represent an EV cert by
> showing the lock icon in green. Facebook and a couple of other entities
> do have certs for their .onion addresses. Most .onion site operators are
> likely to want DV (domain validation) certs, which are currently not
> permitted under the guidelines of the CA/Browser Forum.
> 
> That is the current state of things, which is different from how things
> were several months ago and will probably change again at some point.
> 
> aloha,
> Paul
> 
> On Tue, Jan 26, 2016 at 06:37:24PM +0000, a55deaba@opayq.com wrote:
> > A CA will not validate a '.onion' address since it's not an official TLD
> > approved by ICANN. The numbers aren't random. From Wikipedia:
> > 
> > "16-character alpha-semi-numeric hashes which are automatically generated
> > based on a public key <https://en.wikipedia.org/wiki/Public_key> when a hidden
> > service
> > <https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Hidden_services> is
> > configured. These 16-character hashes can be made up of any letter of the
> > alphabet, and decimal digits from 2 to 7, thus representing an 80-bit
> > number in base32 <https://en.wikipedia.org/wiki/Base32>. It is possible to
> > set up a human-readable .onion URL (e.g. starting with an organization
> > name) by generating massive numbers of key pairs
> > <https://en.wikipedia.org/wiki/Public-key_cryptography> (a computational
> > process that can be parallelized
> > <https://en.wikipedia.org/wiki/Parallelized>) until a sufficiently
> > desirable URL is found."[2]
> > <https://en.wikipedia.org/wiki/.onion#cite_note-scallion-2>[3]
> > <https://en.wikipedia.org/wiki/.onion#cite_note-facebook_url-3>"
> > 
> > Cheers,
> > yodablue
> > 
> > On Tue, Jan 26, 2016 at 1:32 PM lists.torproject.org [Masked]
> > <FWD-737QLY3MGNAYSQFGAHIDLIAC2AJOAZ4BKBNCRYADXAICEWBKGA4GYNTQE4MCKZVAFMRQA3BHMAEPUEBAAAQA====@
> > opayq.com> wrote:
> > 
> > >
> > > --------------------------Blur (formerly
> > > DoNotTrackMe)---------------------------
> > > 
> > > -------------------------By Abine--------------------------
> > >
> > >
> > > I'm new to tor, trying to understand some stuff.
> > >
> > > I understand the .onion TLD is not an officially recognized TLD, so it's
> > > not
> > > resolved by normal DNS servers. The FAQ seems to say that tor itself
> > > resolves
> > > these, not to an IP address, but to a hidden site somehow.
> > >
> > > When I look at thehiddenwiki.org, I see a bunch of .onion sites, with
> > > random
> > > looking names. Why is this? What if someone at thehiddenwiki.org
> > > registered a
> > > new .onion site (for example http://somerandomletters.onion), which then
> > > relayed traffic to duck-duck-go (http://3g2upl4pq6kufc4m.onion)?
> > > Thehiddenwiki could give me the link http://somerandomletters.org, and of
> > > course I would never know the difference between that and
> > > http://3g2upl4pq6kufc4m.onion
> > >
> > > Without trusting a CA to validate a site name, what prevents MITM attacks?
> > > Am
> > > I supposed to get the duckduckgo URL from a trusted friend of mine, and
> > > then
> > > always keep it?
> > > --
> > > tor-talk mailing list - tor-talk@lists.torproject.org
> > > To unsubscribe or change other settings go to
> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > >
> > >
> > -- 
> > tor-talk mailing list - tor-talk@lists.torproject.org
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

