Is one more debate against “normal” certificates for onion domains. The issue is that they e with an OCSP responder address. Therefore, the browser is certainly going and make contact with that responder, possibly deanonymizing your. Exactly what Facebook should have completed is always to posses OCSP response stapled – without one, the situation is additionally even worse than unencrypted http.
No, it will not on some
No, it’s not going to on some browsers. Perhaps this really is a browser bug, yet still, stapling the OCSP impulse tends to make Zobrazit webovГ© strГЎnky the insect ordinary.
Tor Web Browser must have
Tor Browser must have disabled OCSP long-ago, its bad than ineffective given that it must FAIL START since a lot of responders become unreliable. noisebridge /OCSP
What about modifying the Tor
What about altering the Tor web browser, to make sure that although all visitors the truth is is distributed through basic HTTP over Tor for .onion, the internet browser displays it , with all the padlock, to make certain that people become assured truly encoded precisely. Maybe even treat it is really as HTTPS with regard to combined contents and referer and these, while nevertheless maybe not indeed becoming they.
That could prevent the cost of running both Tor’s and HTTPS’s encryption/end-to-end-authentication, and give a wide berth to enforcing the mercial CA product, while still staying away from misunderstandings from people.
Should not be carried out in that
Should not be done in this way. Best generate various padlock showing at content which utilized securely via undetectable service. And see customers about this.
In terms of naming issues, I
A) rebrand “location-hidden solution” in addition to .onion pseudo TLD to “tor services” and .tor (while retaining backward accessibility to .onion) (*)
(*) there clearly was probably a huge “dont brand information” debate, and is mainly according to the notion of “ownership”. The munity whom subscribe to the rule own the code, but it’s copylefted with a very permissive licenses (thus forkable), additionally the system possession is delivered amongst people who play a role in it (relays, bridges, sites etc.). Therefore, we understand branding/ownership argument as poor.
Ultimately, i do believe it is *excellent* that Facebook keeps put a .onion address. I pletely disagree with their business model, and dont utilize their product, however their improvement toward tor network will add to the validity on the circle into the vision associated with improperly educated, and may even boost the degree of these munity.
Isn’t one argument in prefer
Actually one debate in support of using https for undetectable providers so it allows authentication of clients through customer certificates? (demonstrably, this isn’t an argument which relevant to the fb situation).
“chances are they got some tips
“chances are they have some tips whose name begun with “facebook”, in addition they viewed the next half of each of them to pick out the people with pronouncable and therefore unforgettable syllables. The “corewwwi” one featured better to them. “
I have found that story tough to think. Exactly how many conotations performed they need to go through to track down corewwwi? It certainly must-have been millions, billions, or even more?
I don’t buy it sometimes. More likely a large pany like Twitter wishes an easy-to-remember target possesses the information regarding.
I’m not fantastic with C, but i’d like to help out with the design for all the brand-new onion providers. What might be the best way to help?
ments on parts
Absolutely one other reason for wanting to have actually https to an onion address: promise that not one .onion website are proxying/MITMing the service’s facts flow, by revealing the .onion target enjoys a key in fact held (or perhaps approved) by the one that has this site.