Here is another discussion against “normal” certificates for onion domain names. The issue is they e with an OCSP responder target. Hence, the internet browser will go and make contact with that responder, potentially deanonymizing you. What Facebook needs to have done is always to have actually OCSP impulse stapled – without it, the situation is additionally tough than unencrypted http.
No, it will not on some browsers. Probably this is certainly an internet browser bug, yet still, stapling the OCSP reaction will make the bug safe.
Tor internet browser https://www.datingmentor.org/nl/apex-overzicht should have impaired OCSP long ago, it’s tough than pointless because it has to CRASH OPEN since many responders become unreliable. noisebridge /OCSP
Think about changing the Tor internet browser, so that although all visitors actually is distributed through plain HTTP over Tor for .onion, the internet browser shows it , using padlock, to ensure that people believe ensured really encrypted properly. Possibly even address it can be as HTTPS for mixed information and referer and such, while nonetheless maybe not indeed getting they.
That would prevent the cost of operating both Tor’s and HTTPS’s encryption/end-to-end-authentication, and avoid implementing the mercial CA product, while still preventing confusion from customers.
Should not be done in in that way. Better generate different padlock showing at pages which reached firmly via undetectable service. And learn people about this.
A) rebrand “location-hidden solution” plus the .onion pseudo TLD to “tor solution” and .tor (while maintaining backward option of .onion) (*)
(*) discover likely a large “dont brand things” argument, that is largely in line with the concept of “ownership”. The munity which contribute to the signal own the signal, but it is copylefted with a very permissive permit (therefore forkable), and also the system possession was marketed amongst those who contribute to they (relays, links, sites etc.). So, we begin to see the branding/ownership argument as poor.
Eventually, I think that it is *excellent* that Facebook has included a .onion address. I pletely disagree employing business structure, and dont make use of their product, however their inclusion towards the tor circle will increase the authenticity associated with the system in sight of defectively knowledgeable, and may even boost the education of these munity.
Isn’t one debate in favor of making use of https for concealed providers that it allows authentication of customers through customer certificates? (demonstrably, this is not a quarrel that is connected to the facebook circumstances).
“Then they got some tips whoever term going with “facebook”, and additionally they viewed another 50 % of each to choose the people with pronouncable and thus unforgettable syllables. The “corewwwi” one seemed best to them. “
I’ve found that facts difficult to believe. How many conotations did they need to read through to find corewwwi? It really must-have come millions, billions, or higher?
I really don’t buy it often. Inclined a big pany like Facebook desires an easy-to-remember address and contains the tools for this.
I am not great with C, but i might like to help you making use of the designs for newer onion service. What might be the ideal way to help?
There’s one other reason for wanting to have actually https to an onion target: warranty that hardly any other .onion webpages is actually proxying/MITMing the service’s information stream, by showing that the .onion address has actually a vital really held (or perhaps licensed) from the one that possesses the site.