[tor-talk] Tor and Google error / CAPTCHAs.
Alec Muffett
alec.muffett at gmail.com
Tue Oct 4 07:01:09 UTC 2016
On 4 October 2016 at 01:51, Jeremy Rand <jeremyrand at airmail.cc> wrote:
> Alec Muffett:
>
> I'm curious what the advantage is in this respect of .onion compared to
> using TLS with manual fingerprint verification.
>
I like to look at Onions from the perspective of a network engineer:
- it's a lightweight near-equivalent (and in no way as powerful as, but
hey, it's an 80% solution which requires zero setup) to Layer-2 / IPsec
AH+ESP
- this means it operates and is available at the "Link Layer" and is
inherited by any protocol which uses it, including plaintext HTTP,
plaintext Telnet, etc
- In IPsec AH means "Authentication Header", extra metadata that IPsec
sends, using certs and keys and shit, to guarantee that you are talking to
the machine that you asked for
- In Onion, if you can type in the address and get connected, you are
talking to the machine that you asked for
- In IPsec, ESP means "Encapsulating Security Payload", extra metadata on
the packet which stops people tampering with, or reading the packet
- In Onion, all that shit comes pre-packaged from Tor, with zero user setup.
- Onion also routes around blocks
So my position is that Onion routing is "cheap-ass IPsec, without all the
configuration BS, and *yay* with E2E/disintermediation".
That is _really_ cool; at a stroke you selectively pypass a bunch of
internet balkanization technologies and reconnect people like it's 1990 all
over again.
I'm old enough to remember when `finger username at host.subdomain.tld`
actually worked and was useful; there's a lot you can build with that kind
of connectivity.
> My best guess is that .onion has better usability today with current
> tools.
That's also nice.
> But it seems to me that it wouldn't be incredibly hard to
> produce a SOCKS proxy to support a ".tlsexplicit" TLD where the SOCKS
> proxy drops the connection to "www.google.com.<fingerprint>.tlsexplicit"
> if the server doesn't present a TLS cert that matches <fingerprint>.
>
Could do that, but then you'd just be reinventing IPsec-like features at
layer 4, rather than at pseudo-layer-2.
I shall elide your other question, because - as should be obvious by now -
I rate Onions highly for qualities other than the "anonymity" and
"location hiding" - which are obviously very important to other people.
- alec
--
http://dropsafe.crypticide.com/aboutalecm
More information about the tor-talk
mailing list