[tor-talk] You could use ModX to create .onion sites,

Mike Cardwell tor at lists.grepular.com
Fri May 24 11:57:57 UTC 2013


* on the Fri, May 24, 2013 at 07:22:28AM -0400, Tom Ritter wrote:

> I guess I should have phrased this as "Can TBB talk to a SPDY enabled
> HS?" or "Can users take advtange of a HS running SPDY?"  I think TBB
> would need to make special provisions.  SPDY requires SSL, if you use
> the weird "Use SPDY over plaintext" option[0] it breaks HTTP.  So if
> someone without a SPDY client visited x.onion, it'd break.  A HS can
> redirect to a SSL version it itself, but the certificate won't
> validate, at least according to normal PKIX validation rules, because
> no one can issue a cert for a .onion.

A new CA could be generated by the Torproject and included with TBB. The
CA could be completely public, so anybody is able to download its private
key and generate a certificate using it. TBB could include this new CA,
and also be patched so that certificates signed using this new CA only
work for .onion domains. Then people could grab the CA and use it to
generate a certs for their .onion address.

Then we'd gain all the efficiencies provided by SPDY and none of the
drawbacks of SSL certificate warnings.

There should be no issue with people having access to this CA's keys
as long as it's only used for .onion domains.

Actually, I wonder if it's possible to just patch TBB to not do
certificate verification for .onion URLs?

The only drawback I can see for this is if people incorrectly import
this new CA into their non-TBB browser, meaning that people could
use the new CA to generate certificates for non-.onion addresses
and MITM *their* connections.

Maybe Mozilla would allow the Torproject to run a CA which only
works for .onion domains, and include code for that restriction
up-stream?

SPDY *must* be much more efficient than HTTP over Tor. It has
compression and multiplexing so multiple resources can be sent down
the same single connection at the same time, and it has push so that
the server can look at the resource that has been requested and send
along all of the other relevant resources at the same time, rather
than waiting for the browser to request them. Eg, browser asks for
html file, so server responds by sending the html file *and* it's css,
javascript and images all at the same time. Compare this to the browser
requesting a HTML page, receiving the HTML page, parsing it, seeing
that it needs a CSS file, requesting that, seeing that it needs a JS
file, requesting that. Especially seeing as a lot of resources are
fetched in the order they appear in the HTML and block other resources
from being requested until they have finished being fetched themselves,
eg javascript and css.

SPDY is currently supported by Firefox, Chromium and Opera. A few
examples of sites that already have SPDY enabled: Google.com+mail,
Facebook, Twitter, Wordpress.com. Apache has a module for it:
https://code.google.com/p/mod-spdy/ and the latest versions of Nginx
have it built in.

Yeah, I'm a fan of SPDY and I think Tor especially will benefit
hugely from sites enabling it.

-- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20130524/0bbf7741/attachment.pgp>


More information about the tor-talk mailing list