[tor-talk] You could use ModX to create .onion sites,

Tom Ritter tom at ritter.vg
Fri May 24 11:22:28 UTC 2013


On 24 May 2013 02:36, Andreas Krey <a.krey at gmx.de> wrote:
>> Can hidden services talk SPDY?
>
> Sure they can. Just as well as ssh, smtp or pop3 or
> anything else that goes over TCP.

I guess I should have phrased this as "Can TBB talk to a SPDY enabled
HS?" or "Can users take advtange of a HS running SPDY?"  I think TBB
would need to make special provisions.  SPDY requires SSL, if you use
the weird "Use SPDY over plaintext" option[0] it breaks HTTP.  So if
someone without a SPDY client visited x.onion, it'd break.  A HS can
redirect to a SSL version it itself, but the certificate won't
validate, at least according to normal PKIX validation rules, because
no one can issue a cert for a .onion.

... Actually that's not true.  I could have bought a certificate for a
.onion address, any .onion address, from any CA until the end of 2015.
 They're starting to phase them out now so "any CA" is probably not
correct some "some CAs" would be true.  That's a mildly creepy
thought, although the HS architecture should protect against that.
(Unless you've broken RSA1024)

I suppose it would be possible for TBB to talk to a HS over SSL, and
attempt to negotiate an anonymous, non-confidential ciphersuite (to
reduce the CPU needed) or make other provisions to accommodate it,
like ignore PKIX validation and showing no security indicators.

-tom

[0]https://code.google.com/p/mod-spdy/wiki/ConfigOptions#Debugging_SPDY_without_SSL


More information about the tor-talk mailing list