Re: [tor-talk] Encryption on Http

• From: Henry Story <henry.story@bblfish.net>
• Date: Wed, 16 May 2012 17:41:49 +0200
• To: tor-talk@lists.torproject.org
• Cc: public-webid <public-webid@w3.org>
• Message-Id: <9BC3C556-A713-4E4E-8912-5AA463EF031F@bblfish.net>

I suppose you are speaking to me, and my proposal of doing WebID with onion urls.
(using the protocol described at http://webid.info/spec/ )

On 16 May 2012, at 16:57, tor user22 wrote:

> May be a silly question, but why TOR does not use http traffic encrypted
> with shared key instead of using SSL ( like Your-Freedom project)?

We know how to do WebID with SSL, but not yet how to do it with Tor encryption. 
Perhaps the same technique could be applied to Tor encryption too (I don't know
how Tor works in detail, so I can't tell yet).

Thinking about this I can now see that one issue with using WebID+TLS with Tor 
encryption: namely how to the client can authenticate the server with TLS. 
When we are not dealing with Tor, we can rely on Certificate Authorities (not an 
ideal solution, but one that allows us to get going, that works in most browsers,
and that is satisfactory for business, that need legal backing anyway to operate), 
or in the future with  IETF's DANE ( http://tools.ietf.org/wg/dane/ )

I don't think either of these would work with Tor though. A year ago, when thinking
about how one could do WebID without using DNS, I came up with an httpk scheme on the
FreedomBox mailing list 

  http://lists.w3.org/Archives/Public/public-xg-webid/2011Mar/0068.html

This was before I had heard of Tor. The idea was that one could have 
urls of the form

  httpk://ash12sdfs19kd3/my/foaf

where the public key would be part of the URL ( ash12sdfs19kd3 above) and
that this could then be used by a modified TLS client to verify the 
authenticity of the server it had connected to. Of course this won't be
something that is part of the browser at this point, but it could be part
of the FreedomBox stack, and we could use our freedombox to interact with
other FreedbomBoxes using this protocol. httpk does not seem very far
from onion urls (but I don't know exactly how onion urls work - any good 
pointer?)

  If onion urls work like my suggested httpk scheme, then perhaps there
is something that can be done at that level.

> 
> so encrypted http traffic would be routed through TOR network , this would
> be useful in countries where using SSL or HTTPS is forbidden.

I think that if https is forbidden, then Tor is forbidden too. A country where
encryption is forbidden will of course quickly loose its ability to compete
in the internet world, as they won't be able to keep secrets from their enemies/
competitors.

I think the problem with https is at a different layer as explained above: the client
has to be able to authenticate the server somehow. Tor does this. So the question
is can we use something in Tor to do what client certificates do in TLS?

Henry

> 
> Best,
> _______________________________________________
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Social Web Architect
http://bblfish.net/

Received on Wednesday, 16 May 2012 15:42:22 UTC