Delivery-Date: Tue, 26 Jan 2016 14:57:59 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD,URIBL_DBL_SPAM autolearn=no version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id D4CEE1E02C0;
	Tue, 26 Jan 2016 14:57:57 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 9F27F38D9B;
	Tue, 26 Jan 2016 19:57:51 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id D40BE38D4C
 for <tor-talk@lists.torproject.org>; Tue, 26 Jan 2016 19:57:48 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id KdSS8bLfu2PF for <tor-talk@lists.torproject.org>;
 Tue, 26 Jan 2016 19:57:48 +0000 (UTC)
Received: from w1.tutanota.de (w1.tutanota.de [81.3.6.162])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.tutanota.de",
 Issuer "StartCom Class 2 Primary Intermediate Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 7B34F38D30
 for <tor-talk@lists.torproject.org>; Tue, 26 Jan 2016 19:57:48 +0000 (UTC)
Received: from localhost (unknown [127.0.0.1])
 by w1.tutanota.de (Postfix) with ESMTP id 68ADCFA7B66
 for <tor-talk@lists.torproject.org>; Tue, 26 Jan 2016 19:57:43 +0000 (UTC)
Received: from w1.tutanota.de ([127.0.0.1])
 by localhost (w1.tutanota.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id BiWQQj0mAK7m for <tor-talk@lists.torproject.org>;
 Tue, 26 Jan 2016 19:57:41 +0000 (UTC)
Received: from w1.tutanota.de (unknown [127.0.0.1])
 by w1.tutanota.de (Postfix) with ESMTP id 22D03FA7BB8
 for <tor-talk@lists.torproject.org>; Tue, 26 Jan 2016 19:57:41 +0000 (UTC)
Date: Tue, 26 Jan 2016 19:57:41 +0000 (UTC)
From: <populationsteamsir@tutanota.com>
To: <juha.nurmi@ahmia.fi>
Message-ID: <K8zVpUe--3-0@tutanota.com>
MIME-Version: 1.0
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Cc: Tor Talk <tor-talk@lists.torproject.org>
Subject: Re: [tor-talk] Warning: 37 new booby trapped onion sites
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Juha, thank you for identifying the real and fake sites.

This re-raises the question, when you get a URL from somewhere, how do you 
know it's the real one? Which upon further thought requires definition of 
"the real one." If two guys on the internet both claim to be John Doe, how is 
it possible to know which one is the real John Doe, or is there more than 
one, etc.

If directories such as https://thehiddenwiki.org are going to publish .onion 
URL's, it would be useful to also publish user-verifiable information on why 
they believe it's the valid one. For example, it's been pointed out here, 
that you can search duckduckgo for their hidden URL on the regular internet. 
In which case, you're placing trust in the CA. (An attacker who can 
impersonate https://duckduckgo.com could feed you a fake result in order to 
add validity to the fake URL they've published on some site like 
thehiddenwiki).

If somebody hosts a dark website, that doesn't have a verifiable external way 
to lookup their URL, then the only way you can verify them is to talk with a 
bunch of other people, web-of-trust style. Which also has a bunch of ways it 
can be undermined.

In any event, Juha, in your list, how do you know which ones are real and 
fake?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

