SSL fro hidden services
Matthias Fischmann
fis at wiwi.hu-berlin.de
Thu Oct 20 14:01:55 UTC 2005
On Thu, Oct 20, 2005 at 09:26:59AM -0400, Paul Syverson wrote:
> To: or-talk at freehaven.net
> From: Paul Syverson <syverson at itd.nrl.navy.mil>
> Date: Thu, 20 Oct 2005 09:26:59 -0400
> Subject: Re: SSL fro hidden services
>
> It's unnecessary. All communication is over Tor circuits that are
this claim is true under the assumption that tor doesn't have another
bug that invalidates it, or will ever have.
especially if you use an ssl implementation for the hidden service
that is different from the one used by tor (openssl.org), you will
achieve higher *expected* security. the additional workload of course
is quite high for this marginal gain, but that's matter of taste.
i believe that the overhead of double-ssl is shared between hidden
service and the tor client machine, and nodes won't notice the
difference. (please correct me if i'm wrong.)
cheers,
matthias
> created at both ends of the communication which are mated at an
> Introduction Point to establish contact and at a Rendezvous Point to
> pass data. So even the edges of the communication (between client and
> Tor network, and between hidden server and Tor network) are multiply
> encrypted.
>
> -Paul
>
> On Thu, Oct 20, 2005 at 09:22:18AM -0400, Dan Mahoney, System Admin wrote:
> > On Thu, 20 Oct 2005, Christian Beil wrote:
> >
> > >Is it possible to access hidden services using SSL? Does this make sense
> > >at all?
> >
> > You can certainly use https, and port 443.
> >
> > That said, the certificate naming scheme may be way off, since there's no
> > concept of a valid certificate (I doubt verisign will want to sign one for
> > 786237261871621.onion :)
> >
> > However, assuming the user installs your self-signed cert, it *should*
> > work the same unless there's something I'm missing.)
> >
> > Of course, you're really just protecting content from being sniffed
> > between the user and the entry node (usually, the same machine, but not
> > always), and the exit node and the hidden service (presumably, you control
> > both).
> >
> > This is my understanding of it -- if someone has a better one please step
> > on me without hesitation :)
> >
> > -Dan
> >
> > --
> >
> > "One...plus two...plus one...plus one."
> >
> > -Tim Curry, Clue
> >
> > --------Dan Mahoney--------
> > Techie, Sysadmin, WebGeek
> > Gushi on efnet/undernet IRC
> > ICQ: 13735144 AIM: LarpGM
> > Site: http://www.gushi.org
> > ---------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20051020/540f0956/attachment.pgp>
More information about the tor-talk
mailing list