.onion URLs and HTTPS certificates

DuckDuckGo as an example: 3g2upl4pq6kufc4m.onion/

What is the impact of using TLS on an .onion URL like this? Is it redundant? And/or is it counterproductive?

Attached: 1541062538931.jpg (410x461, 28.13K)

Other urls found in this thread:

archive.fo/yLEap
security.stackexchange.com/questions/36571/why-can-a-tor-exit-node-decrypt-data-but-not-the-entry-node
gitweb.torproject.org/torspec.git/tree/rend-spec-v2.txt
3g2upl4pq6kufc4m.onion/?q=ip&ia=answer
duckduckgo.com/?q=ip&ia=answer
cockmailwwfvrtqj.onion/
xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion/
cock.li/
scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/
kgg2m7yk5aybusll.onion/

Why would you use that?
No.
Hack, no.

It's not that encryption is counterproductive, but rather that Tor domains (.onion) are already encrypted by default within the Tor network itself. What is the benefit of HTTPS in this case? EV certificates are a sham so that can't be it.

There is no need to get TLS certificate when it comes to .onion addresses because Tor already encrypts your packet.

Because of how tor works, like an onion archive.fo/yLEap , the packets are in plaintext/however you sent them at the final exit node.
It goes
So by adding TLS to the mix your plaintext at node3 and between node3 and destination becomes encrypted. Otherwise a rouge exit node could collect all your information or modify it as it travels between you and your destination, using hidden services or non hidden services. So it is a ok way to insure that exit node 3 doesn't get at your plaintext. The only problem is using TLS/SSL is shit because you trust a third party to assure the encryption. Something like SSH would be better for encrypting the packets as then you get access to the whole standard openssl/libre/etc library for encryption and whatnot along with not having a third party that can decrypt the packets. The only person decrypting it is your destination and yourself idealy. There's a whole slew of other problems to account for but this is the gist of why to encrypt.

Its like a vpn, your traffic to the vpn is encrypted but when it arrives the vpn sends it to your destination and sees the packets, encrypted by you or not, then sending them to the destination. If you used http the distance between the vpn and the destination can see the http traffic including the vpn who decrypted it when you sent it using a vpn client. Just like with tor.

That archive.fo URL has a bad cert, but, even after accepting it, it returns HTTP status code 403.

Why can a Tor exit node decrypt data, but not the entry node?
2013-05-28

Me -> Node A -> Node B -> Node C -> destination

security.stackexchange.com/questions/36571/why-can-a-tor-exit-node-decrypt-data-but-not-the-entry-node

It does. Read more about how onion routing works.

maybe they dont trust the encryption. seems like only big companies like facebook can get valid certs tho

...

He's asking about a hidden service, brainlet.

.onion addresses can't provide authenticity. If your private key is stolen, you have to generate a new .onion address and somehow tell the people to not use the old one.

X.509 certificates (TLS certificates) are revocable and can be chained. The issuer can store the private keys offline on cold storage, and can notice you if something went wrong.


Don't spread false information please. There is no exit node. OP asked explicitly about .onion URLs.

What is the point of using tor in current year when the NSA control most nodes and can see what you are connecting to?

free DNS, crypto, hiding of your IP from 666 Gb/s upnp floods, and SEO pessimization.

and free CP

Me node A node B node C node Z node Y node X hidden web server

I and the node C's communication is encrypted. And the hidden web server and the node Z's communication is encrypted. But isn't the node C and node Z's communication encrypted? Because Tor encrypts my packet three times by using node A, B, C's public keys and decrypts it when it arrives to each node. So when it arrives to the node C, it will be decrypted entirely by node C's private key. And the node C transfer my packet to the node Z without encryption, right?

Nice to see the blackpill shills back now that the government shutdown is over. How's the weather in the D.C. area today?

>>>/reddit/

Between the node C and node Z, there might not be encryption.

You are either confusing the data encryption with the routing path encryption or making the mistake of applying the clearnet drawings to this case.

Point 0.2 in the spec gitweb.torproject.org/torspec.git/tree/rend-spec-v2.txt describes how the connections are made. When the connections are ready, the data is always encrypted end-to-end. The .onion address itself is derived from the server's public key.

When the traffic arrives to the node C, the only thing that will be decrypted entirely by node C's private key is encrypted by B and says: "Hey C, I have some for you, sent it to Z please."

False!
Connection between 2 relays is always encrypted.

3g2upl4pq6kufc4m.onion/?q=ip&ia=answer
duckduckgo.com/?q=ip&ia=answer
How did Tor achieve this?


It's the default Tor Browser search engine.

Thanks for the explanation. However, isn't the X.509 certificate trading off better security for slightly worse privacy? After all, the point of Tor is to guarantee anonymity.

Attached: 1526319758298.jpg (1059x1324, 196.04K)

shes so cute

Attached: tfwnogf.jpg (800x800, 40.19K)

You can be your own certificate authority, set the OCSP url to another .onion domain...

Tor doesn't guarantee anything, the anonymity Tor provides is probabilistic. It is based on the amount of well behaving nodes and the number of Tor users.

Not even that as if everyone was a tor user then everyone's traffic would get decrypted at the third hop to be sent onward and in the hop from the third node of each side of the traffic the data could be copied. Tor just makes it harder to sort all the data as you get duplicates at multiple locations that have more encryption applied.

Are you recommending you should instead grab it from the clearweb?

So .onion address doesn't need TLS certificate (https). Because between you and the hidden server, the all traffic is encrypted.

that is 100% thot material and you are ruining this board with your beta retardation.

SHOW PROOF NEGRO. THEN TALK. MOTHERFUCK.

I also wanna rape my mom!

congrats, you just got owned

Maybe is of the same race as her.
Instead just tell him to kill himself next time.

Certs have a time frame in which they're valid.
Are you sure it's not just your PC clock that's wrongly configured, retard?

The traffic between a hidden service and a client is end to end encrypted. Client validates the encryption handshake by hidden service's .onion address, which is a hashed and then shortened form of hidden service's private key.

Version 3 hidden services are more private and secure than v2 ones as a result of upgraded encryption algorithms and changing how they announce themselves to hidden directory servers (HSDirs). Some websites may mix clearnet and .onion connections (Zig Forums for example) therefore nullifying any privacy and security advantage its hidden service might offer.

For comparison, here are cock.li's hidden service addresses:
version 2: cockmailwwfvrtqj.onion/
version 3: xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion/

There's no need to insult and my system's clock is fine.

Firefox complains that the cert does not apply to the archive.fo domain (SSL_ERROR_BAD_CERT_DOMAIN), only for specific unrelated domains (ssl503537.cloudflaressl.com, *.digitalocean.com, digitalocean.com).

The HTTP status code 403 is returned by the Cloudflare server used by archive.fo.

If you set your DNS as 1.1.1.1 (CloudFlare), you will meet any errors. 8.8.8.8. (Google) or anything is okay.

archive.is (archive.fo) has problem with 1.1.1.1 DNS.

Cock.li E-mail Hosting

cock.li/

cockmailwwfvrtqj.onion/

xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion/

So that site MUST move to CloudDNS, a cuckflare alternative.

One possible argument unmentioned so far is defense in depth.

If Tor was compromised, at least there is one more layer of encryption between you and the server. One more layer of shit for an adversary recording all traffic for later decryption to deal with, one more thorn that might juts keep you out of trouble for longer.

Likewise, for TLS in HTTPS.

But significantly more useful for browsing clearnet through Tor than onion sites on Tor.

Similar to how virtual machines were supposed to protect us from exploits with a nation-state adversary origin? We all saw how that went. Putting yet another layer of abstraction on top protects no one. It won't matter how many proxies you are behind or how many TLS tunnels you wrap around your traffic when public key encryption algorithms that ensure the safe data transit between nodes gets compromised.

All we need is a new public key encryption algorithm that can withstand quantum cryptanalysis.

From a security standpoint it doesn't give you better traffic encryption or anything but what it can do is help prove the the onion URL you are using is actually duckduckgo and not a rogue actor pretending to be duckduckgo.

For onion-only sites this isnt beneficial

you are a naive fool.
the more layers the better.

Good luck, I'm behind 7 proxies

But the certificate only proves that whoever requested it could provide valid data that says they own the domain. That alone does not tell you much about the legitimacy of the site.

DuckDuckGo, Facebook, etc. use an Extended Validation (EV) certificate instead of an Origin Validation (OV) or Domain Validation (DV) one, which are only good in theory: scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/

*Organization Validation

There is no anonymity if I, as a web master, use an EV certificate.

because when you leave the tor network you are on the clearnet. so at that point you can connect to HTTPS sites just like normal. You just can't connect to .onion sites via SSL because they don't work that way and because it's redundant anyway. it's already encrypted.

Yes you can.
Correct. It only adds security against people bruteforcing a whole entire onion address which is invesable. The more likely case of your site getting hijacked is them stealing your private ey for the hidden service. If they are able to do that, they are also able to steal the private key for your certificate.

Every new certificate today is public due to CT.

HAPAS ARE SUPERIOR TO WHITES
The first point that you need to note is that Whites were historically a great civilization. I don't deny that, after all, they controlled over 3/4 of the world at some point.
The second point that you need to note is that Asians are autistic bug-people with no empathy. No empathy = less societal progress since they let people die randomly despite their worth to society.
The third point that you need to acknowledge is that white people have lost any and all traits which made them a powerful and superior race. You NEET-Sock larpers take achievements from the last great men in NS Germany and attempt to make them your own. You haven't done shit. White people are 100% jew controlled, and this isn't because the jew is particularly powerful. This is because white people are emotionally weak. Why? Whites have been undergoing severe devolution over the past 100 years. The two jew-induced world wars killed off entire generations of strong, brave white men, and this has KILLED THE WHITE RACE. You pathetic Nig-Sock larpers need to understand this. There's no coming back from this.
White people are weak and pathetic. They have lost 100% of what made them great through a jewish dysgenics program, and while this is unfortunate, it is also irreversible. So forget about it.
Hapas, more specifically White/Asian hapas, are the new ubermensch, so to speak. We are superior to both whites and asians since the properties of both races are polar opposites, yet meet in the middle to form an optimal combination. Whites are too cucked and have too much empathy, so much so that they feel excessive empathy to subhuman races like niggers, jews and arabs.
On the opposite side of the scale, asians have too little empathy, being perfectly content to watch their fellow countrymen run over by trucks, poisoned by fake food products, gassed by the very air in their cities, and executed by their own government for petty reasons.
These two qualities are, as I mentioned, polar opposites, and neither are beneficial to the well-being of society. Hapas possess something in the middle of these polar opposites. We are much more racist than white people. And at the same time, we have empathy towards each other. Our women are far less slutty than white roasties, contrary to /poo/ disinformation - white men prefer white or asian women, not hapas. I know this not only due to theoretical knowledge but due to actual life experience talking to others of my own kind. We only require the tiniest push to fully support anti-nigger, anti-shitskin and anti-kike ideology, whereas whites never go all the way. Whites can only become magakikes, or anti-illegal-immigrants at the ABSOLUTE best.
Hapas are small in number at the moment but with further degeneration of the white race, racemixing between whites and asians will become more frequent. Hapas will rise from the ashes of the white race and inherit the world.
It is often stated by Nig-Socks that racemixing is evil and bad because "the product of racemixing contains neither of the desirable qualities of the two parent races". This may be true under ideal conditions, but Whites and Asians don't have any desirable qualities by themselves. The races have been degenerated by decades of communist (i.e. jewish) dysgenics (in the case of asians) or decades of war-induced jewish dysgenics (in the case of whites). As such, the ordinary Zig Forums theory no longer applies. Neither of the parent races, whites or asians, actually are suited to their environment. They also happen to have polar opposite qualities, which conflict with the goal of societal stability. This is why hapas are not inferior, but superior to both races.
Note that what I said only applies to White/Asian hapas. Any mixtures containing shitskin or nigger genetics is just as bad as the shitskin or nigger genetics would be by themselves, since shitskins and niggers were never a part of great civilization.

did you mean ssl op?

can someone explain how a hidden service works? all i know is the standard 5-step flow.

OpenSSL can come with vulnerabilities but so can Tor so you gotta decide for yourself.

Old tor encryption was pretty weak, I think they fixed that with v3 protocol so imho now using SSL just increases traffic and attack surface for server and client.

I suppose it adds yet another layer of encryption.
Like, your message to an .onion service is already encrypted by itself, and even on the wire/loopback interface there will be only TLS traffic.

It should be noted that your message hits Tor network encrypted provided you use your Tor client on the localhost or trusted network. Tor client communicates with a first node via an encrypted channel.
It wasn't obvious from that post.

or rather, BECOMES encrypted by itself with more TLS onto it

no, as said, tor hidden services are end-to-end encrypted.

All communications within Tor are encrypted.
What I was saying was that you could theoretically have Tor client not on 127.0.0.1 (as it works like Socks proxy for programs) and communications to THAT would not be encrypted. With additional TLS layer though, it would become encrypted regardless. Not that you should rely on it if you don't trust the network you're going to use to reach the Tor client though. TLS1.2 leaks SNI and shiet.

>DuckDuckGo, Facebook, etc. use an Extended Validation (EV) certificate instead of an Origin Validation (OV) or Domain Validation (DV) one, which are only good in theory: scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/
No, they're not even good in theory.

The tor client encrypts the message 3 times with the private keys of the three nodes its going to rout through. The first node unwraps the first layer of encryption, so it knows who is sending the message but it can't read the message. The second node can only see the first node sending and doesn't know who is sending the message or what the message is. The last node peals off the last layer of encryption and prepares to send it to the clear net server. It can read the message but doesn't know who its from. Technically if all three of the nodes were monitored, or owned by the same entity the message could be correlated by size.

if you want to watch youtube with javascript disable, use invidio.us
also invidio has an onion link
kgg2m7yk5aybusll.onion/

YOUTUBE ON ONION BITCHES

its good if you are really paranoid and think that the cianiggers have a way to see the traffic that goes to the service. tho you have to use self signed certs then not something thats signed by someone else

Wouldn't streaming load abuse the TOR network?

It's not always three nodes and if all nodes are owned by the same entity then it can see the entire path and doesn't have to do any size-based guessing.


>>DuckDuckGo, Facebook, etc. use an Extended Validation (EV) certificate instead of an Origin Validation (OV) or Domain Validation (DV) one, which are only good in theory: scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/
What are you guys talking about?

Your shitty cloudflare encumbered website says:
LOL. You're retarded.

Also there are browser extensions that show a warning when a website's certificate changed so that can help detect MITM attacks or hijacked v2 onion addresses even with selfsigned ssl certs. Including on Tor.

its 720p 60fps i doubt its much, like 400 kbit

30 fps*
its in webm format

Reminder that if you intend to watch the entire episode it's usually better to youtube-dl it.
Supports tor too and if you download into a tmpfs it doesn't wear down your hard drive.

And if it contains some rare shit that you want to save from censorship you won't have to redownload the data, putting unnecessary strain on tor.
Video streaming creates a shitton of traffic.
#!/bin/shyoutube-dl --proxy socks5://127.0.0.1:9050/ --hls-prefer-native $*

s/episode/video/

ANYONE can produce a valid cert

valid = accepted by browsers

having those annoying warnings for self signed certs is just another jewish trick. its not like any normie ever checks if the cert is really right and theres rarely any way to do that because no one tells the information thats needed for it

HAPAS ARE SUPERIOR TO WHITES

It pisses me off to no end when idiots like you pretend to know what they're talking about in Zig Forums. If you don't know, it's fine, but don't go pretending you do and spread false information, just shut the fuck up.

OP was talking about hidden services (hence ".onion URLs"), what you described was merely using Tor as a proxy to the clearnet, hidden services do not work like that.

HAPAS ARE SUPERIOR TO WHITES

Yikes. Where did all this misogyny come from?

I love Donald Trump! Heil Israel MIGA 2020!!!

Where are all these shills coming from?

Whatcha sliding mordecai?

I don't know what I'm talking about but
HAPAS ARE INFERIOR TO WHITES

Fuck off moshe.

Looks like some Soros-funded controlled opposition to me.

LOL, I wish I thought of doing that!

DAILY REMINDER THAT THE MODS ARE COMPROMISED MOSSAD/CIA SHILLS

I smell rats.