[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] General question regarding tor, ssl and .onion.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/09/2015 01:04 AM, Seth David Schoen wrote:
> Jeremy Rand writes:
> 
>> It's theoretically possible to use naming systems like Namecoin
>> to specify TLS fingerprints for connections to Tor hidden
>> services, which would eliminate the need for a CA.  I'm hoping to
>> have a proof of concept of such functionality soon.
> 
> Is there a way to prevent an attacker from simply claiming the
> same identifier in Namecoin before the actual hidden service
> operator does?
> 

By "identifier", you mean the .onion name?  If so, then yes, there are
a few ways this could be done.  One potential method is to have the
client look up names by prefix rather than exact match, so that if you
have xyz.onion, the client looks up all Namecoin names that *begin*
with xyz.onion, and the client will look through them until it finds
one whose value includes a signature signed by the .onion key.  An
attacker could try to spam the namespace with lots of names that have
invalid .onion signatures, but given name fees this would be a quite
expensive attack and would only slow down the lookup rather than stop
it from working.  This functionality (specific to .onion) is not
implemented at the moment, but fast prefix lookups are implemented in
namecoind in a dev branch (which will hopefully be merged to master
soon), so this isn't something that would be incredibly hard to do.
If there's specific interest in this kind of functionality, I can
inquire into whether we can merge the fast prefix lookups code now --
let me know if you'd like me to do so.

Cheers,
- -Jeremy Rand
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVxt6GAAoJEAHN/EbZ1y062ekP/RVwFzBAoOFzlHySQIKoKy2D
CXNhTJUkrHPv/r4PUrKk8EKPYvrRWNTHMyQSp5lW+ASpsXIqel8XY6eYFpm2ycur
uk+Ot6RDHuUbqZbdNSszK4Q/MiIwYUGDH44EeW6m8SoE9PbtFVjefoFh0AQCMaoQ
U3tTUu7a2EvXtdgTTKjtvn4oP9vbZqRZZmO1TC653t5IAb5QJkRtnmYIUgvxP3tn
vRg4phYVHSiyW9f3gKeTolCiZkqMq0Kk1J6ajzU8ASfzUIUAE8lsRuDxONB0hYXJ
9dj0MTmQEraUA8SttYgz81xtsOR0zxE/oRjrNIKRZNR2bv3S6IPa5cUA+BjoorTx
MFJU7QFqrI/Hf+5SKgS+bHrqQXs7MPo29XsC4nOgq+Jqyu8FNpbSHU2Dhj/qO0H0
rPpKcpYFBYifoGyuu3Fl8j8NOGDvohmJt+NxKBOenjMBnAM8RM6LcLqE5D2hdxYv
D5jU7KPMCVLbtTgSw7F+qaMjdO0g7/m3AB/TWhHjTuZocwX3opevuaC4i1ZGIelk
HEfWRVFTuTNLNUUQvwMk4ajGxZyigsfJowjwH+oNu7LU10N7bgTSbCDANAW1Pnc0
LnbTs99ghTahSxSq7jYeH2ySTRBhpjmeZYGH30tRZTFUVGVnnn+NHOaLDLMtTJpd
gMfAtEfA8WWkVL0idPmJ
=QJNr
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk