Delivery-Date: Tue, 19 May 2015 07:39:53 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	RCVD_IN_DNSWL_MED,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 89D851E0683
	for <archiver@seul.org>; Tue, 19 May 2015 07:39:51 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id E4DBD3559D;
	Tue, 19 May 2015 11:39:47 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 825963558E
 for <tor-talk@lists.torproject.org>; Tue, 19 May 2015 11:39:17 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id YmfHdCn9EorT for <tor-talk@lists.torproject.org>;
 Tue, 19 May 2015 11:39:17 +0000 (UTC)
Received: from smtp2.hushmail.com (smtp2.hushmail.com [65.39.178.134])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.hushmail.com", Issuer "smtp.hushmail.com" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 5CC9C35584
 for <tor-talk@lists.torproject.org>; Tue, 19 May 2015 11:39:17 +0000 (UTC)
Received: from smtp2.hushmail.com (localhost [127.0.0.1])
 by smtp2.hushmail.com (Postfix) with SMTP id 7EF7EA012D
 for <tor-talk@lists.torproject.org>; Tue, 19 May 2015 11:39:14 +0000 (UTC)
Received: from smtp.hushmail.com (w5.hushmail.com [65.39.178.80])
 by smtp2.hushmail.com (Postfix) with ESMTP
 for <tor-talk@lists.torproject.org>; Tue, 19 May 2015 11:39:14 +0000 (UTC)
Received: by smtp.hushmail.com (Postfix, from userid 99)
 id 6E399A2912; Tue, 19 May 2015 11:39:14 +0000 (UTC)
MIME-Version: 1.0
Date: Tue, 19 May 2015 07:39:14 -0400
To: tor-talk@lists.torproject.org
From: "l.m" <ter.one.leeboi@hush.com>
In-Reply-To: <20150519094935-728-58347-mailpile@mailpile-home>
References: <52B6B3D5-F25C-46FA-84A1-9F2A73948958@fb.com>
 <20150519094935-728-58347-mailpile@mailpile-home> 
Message-Id: <20150519113914.6E399A2912@smtp.hushmail.com>
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] Making a Site Available as both a Hidden Service and
	on the www - thoughts?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Ben,

Oh wondrous challenges-by-example

About the https. I would just like to point out that FB using https
amounts to nothing more than a glorious kludge to win back people
who've moved on due to privacy concerns. So they try to prove identity
using a CA-cert, then wrap encrypted onion traffic in another layer of
encryption. What does it gain them except to be able to say: despite
what you may have herd about us, we really do care about your privacy.


However, redirecting from onion on a different port to https (on the
same front and simultaneously available on www) isn't as easy as it
sounds. That will break your sites secure elements. Onions lack a CA
and they're as secure as https using DH with ephemeral keys. You might
find you experience fewer problems in secure parts of your site
without the https. I guess that's not really by-example though. Sorry
I don't have a by-example example.

Oh and another example. If you accept payments by certain methods
(non-anonymous) your liability skyrockets when those payments are
issued using the onion. Although I can't provide you with an example
because it's a secret.

How's that. More examples to add to your examples. Hope your
deployment goes well.

--leeroy
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

