[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] Making a Site Available as both a Hidden Service and on the www - thoughts?

Hi Ben,

On Sun, May 17, 2015 at 11:26:41AM -0000, Ben wrote:
> Hi all,
> I've got a (www) site that I'm debating making available as a Hidden
> Service, and I was wondering what peoples thinking on doing this was
> nowadays.

I'm presenting a short paper I wrote with Griffin Boyce "Genuine
onion: Simple, Fast, Flexible, and Cheap Website Authentication" on
almost exactly this topic at the IEEE Workshop on Web 2.0 Security &
Privacy on Thursday. You can get it at
or get both the paper and slides from

The basic idea is to use onion services for better authentication.
Partly perhaps because of our unfortunate original choice of
terminology (Hidden Service) we haven't as much emphasized the
self-authenticating property of these services as the hiding.  We
treat hiding in this work as basically an orthogonal issue, although we
do discuss some advantage in that respect as well. TLS Certs are
problematic for various reasons and for onion addresses are currently
only available for extended validation, which is a nonstarter for most
people. The binding for the two sites (which may or may not be two
paths to the same web server) we suggest is GPG signatures on both
addresses posted on both sites. This can be easily used right now w/
existing tools, which is great but obviously is highly manual. So
"easily" is in the eye of the beholder. We discuss use cases,
protections, efficiencies, and conveniences provided. Also
complementarity to TLS, automation, and the potential for integration
with existing tools such as Convergence and Monkeysphere. Also,
integration with the ahmia onion service search engine.

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to