[tor-talk] onion routing MITM

Paul Syverson paul.syverson at nrl.navy.mil
Tue Jan 26 19:14:49 UTC 2016


Probably should also have noted wrt the original question
that for people who use PGP/GPG there are things that can be done
now and onionsites that do make use of that. Cf.

See
"Bake in .onion for Tear-free and Stronger Website Authentication"
https://github.com/saint/w2sp-2015/blob/master/SP_SPSI-2015-09-0170.R1_Syverson.pdf
for a description of both how people are using GPG now, and for
the situation and plans for certs in the future.

See also Juha Nurmi's related post to this list about booby trapped
onion sites.

aloha,
Paul


On Tue, Jan 26, 2016 at 02:04:54PM -0500, Paul Syverson wrote:
> This is false. 
> 
> First of all '.onion' is an officially recognized reserved top level
> domain according to IETF RFC 7686.
> 
> Second, a CA _will_ validate a .onion address, but only to provide an
> EV (extended validation) Cert. EV Certs are typically only
> had by big companies etc. Typical browsers represent an EV cert by
> showing the lock icon in green. Facebook and a couple of other entities
> do have certs for their .onion addresses. Most .onion site operators are
> likely to want DV (domain validation) certs, which are currently not
> permitted under the guidelines of the CA/Browser Forum.
> 
> That is the current state of things, which is different from how things
> were several months ago and will probably change again at some point.
> 
> aloha,
> Paul
> 
> On Tue, Jan 26, 2016 at 06:37:24PM +0000, a55deaba at opayq.com wrote:
> > A CA will not validate a '.onion' address since it's not an official TLD
> > approved by ICANN. The numbers aren't random. From Wikipedia:
> > 
> > "16-character alpha-semi-numeric hashes which are automatically generated
> > based on a public key <https://en.wikipedia.org/wiki/Public_key> when a hidden
> > service
> > <https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Hidden_services> is
> > configured. These 16-character hashes can be made up of any letter of the
> > alphabet, and decimal digits from 2 to 7, thus representing an 80-bit
> > number in base32 <https://en.wikipedia.org/wiki/Base32>. It is possible to
> > set up a human-readable .onion URL (e.g. starting with an organization
> > name) by generating massive numbers of key pairs
> > <https://en.wikipedia.org/wiki/Public-key_cryptography> (a computational
> > process that can be parallelized
> > <https://en.wikipedia.org/wiki/Parallelized>) until a sufficiently
> > desirable URL is found."[2]
> > <https://en.wikipedia.org/wiki/.onion#cite_note-scallion-2>[3]
> > <https://en.wikipedia.org/wiki/.onion#cite_note-facebook_url-3>"
> > 
> > Cheers,
> > yodablue
> > 
> > On Tue, Jan 26, 2016 at 1:32 PM lists.torproject.org [Masked]
> > <FWD-737QLY3MGNAYSQFGAHIDLIAC2AJOAZ4BKBNCRYADXAICEWBKGA4GYNTQE4MCKZVAFMRQA3BHMAEPUEBAAAQA====@
> > opayq.com> wrote:
> > 
> > >
> > > --------------------------Blur (formerly
> > > DoNotTrackMe)---------------------------
> > > 
> > > -------------------------By Abine--------------------------
> > >
> > >
> > > I'm new to tor, trying to understand some stuff.
> > >
> > > I understand the .onion TLD is not an officially recognized TLD, so it's
> > > not
> > > resolved by normal DNS servers. The FAQ seems to say that tor itself
> > > resolves
> > > these, not to an IP address, but to a hidden site somehow.
> > >
> > > When I look at thehiddenwiki.org, I see a bunch of .onion sites, with
> > > random
> > > looking names. Why is this? What if someone at thehiddenwiki.org
> > > registered a
> > > new .onion site (for example http://somerandomletters.onion), which then
> > > relayed traffic to duck-duck-go (http://3g2upl4pq6kufc4m.onion)?
> > > Thehiddenwiki could give me the link http://somerandomletters.org, and of
> > > course I would never know the difference between that and
> > > http://3g2upl4pq6kufc4m.onion
> > >
> > > Without trusting a CA to validate a site name, what prevents MITM attacks?
> > > Am
> > > I supposed to get the duckduckgo URL from a trusted friend of mine, and
> > > then
> > > always keep it?
> > > --
> > > tor-talk mailing list - tor-talk at lists.torproject.org
> > > To unsubscribe or change other settings go to
> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > >
> > >
> > -- 
> > tor-talk mailing list - tor-talk at lists.torproject.org
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> -- 
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


More information about the tor-talk mailing list