.onion URLs and HTTPS certificates

Christian Thomas
Christian Thomas

DuckDuckGo as an example: 3g2upl4pq6kufc4m.onion/

What is the impact of using TLS on an .onion URL like this? Is it redundant? And/or is it counterproductive?

Attached: 1541062538931.jpg (28.13 KB, 410x461)

Other urls found in this thread:

archive.fo/yLEap
security.stackexchange.com/questions/36571/why-can-a-tor-exit-node-decrypt-data-but-not-the-entry-node
gitweb.torproject.org/torspec.git/tree/rend-spec-v2.txt
3g2upl4pq6kufc4m.onion/?q=ip&ia=answer
duckduckgo.com/?q=ip&ia=answer
cockmailwwfvrtqj.onion/
xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion/
cock.li/
scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/
kgg2m7yk5aybusll.onion/

Jack Peterson
Jack Peterson

DuckDuckGo
the ultimate jewscript inventor search engine made to datamine you
Why would you use that?
Is it redundant?
No.
And/or is it counterproductive?
encryption
counterproductive
ever
Hack, no.

James Reyes
James Reyes

It's not that encryption is counterproductive, but rather that Tor domains (.onion) are already encrypted by default within the Tor network itself. What is the benefit of HTTPS in this case? EV certificates are a sham so that can't be it.

Tyler Kelly
Tyler Kelly

There is no need to get TLS certificate when it comes to .onion addresses because Tor already encrypts your packet.

Caleb Brooks
Caleb Brooks

point of encrypting a packet
Because of how tor works, like an onion archive.fo/yLEap , the packets are in plaintext/however you sent them at the final exit node.
It goes
you - unencrypted by tor
tor node1 - encrypted by tor
tor node2 - encrypted by tor
tor node3 - decrypted by tor
destintion unencrypted by tor
So by adding TLS to the mix your plaintext at node3 and between node3 and destination becomes encrypted. Otherwise a rouge exit node could collect all your information or modify it as it travels between you and your destination, using hidden services or non hidden services. So it is a ok way to insure that exit node 3 doesn't get at your plaintext. The only problem is using TLS/SSL is shit because you trust a third party to assure the encryption. Something like SSH would be better for encrypting the packets as then you get access to the whole standard openssl/libre/etc library for encryption and whatnot along with not having a third party that can decrypt the packets. The only person decrypting it is your destination and yourself idealy. There's a whole slew of other problems to account for but this is the gist of why to encrypt.

Its like a vpn, your traffic to the vpn is encrypted but when it arrives the vpn sends it to your destination and sees the packets, encrypted by you or not, then sending them to the destination. If you used http the distance between the vpn and the destination can see the http traffic including the vpn who decrypted it when you sent it using a vpn client. Just like with tor.

Jack Carter
Jack Carter

That archive.fo URL has a bad cert, but, even after accepting it, it returns HTTP status code 403.

Samuel James
Samuel James

Why can a Tor exit node decrypt data, but not the entry node?
2013-05-28

Me -> Node A -> Node B -> Node C -> destination

security.stackexchange.com/questions/36571/why-can-a-tor-exit-node-decrypt-data-but-not-the-entry-node

Brayden Campbell
Brayden Campbell

It does. Read more about how onion routing works.

Thomas Wright
Thomas Wright

maybe they dont trust the encryption. seems like only big companies like facebook can get valid certs tho

John Myers
John Myers

exit node
.onion address

Jackson Gutierrez
Jackson Gutierrez

He's asking about a hidden service, brainlet.

Luis Jackson
Luis Jackson

.onion addresses can't provide authenticity. If your private key is stolen, you have to generate a new .onion address and somehow tell the people to not use the old one.

X.509 certificates (TLS certificates) are revocable and can be chained. The issuer can store the private keys offline on cold storage, and can notice you if something went wrong.

Don't spread false information please. There is no exit node. OP asked explicitly about .onion URLs.

Jaxon Wilson
Jaxon Wilson

What is the point of using tor in current year when the NSA control most nodes and can see what you are connecting to?

John Smith
John Smith

free DNS, crypto, hiding of your IP from 666 Gb/s upnp floods, and SEO pessimization.

Joseph White
Joseph White

and free CP

Juan Campbell
Juan Campbell

Me <-> node A <-> node B <-> node C <-> node Z <-> node Y <-> node X <-> hidden web server

I and the node C's communication is encrypted. And the hidden web server and the node Z's communication is encrypted. But isn't the node C and node Z's communication encrypted? Because Tor encrypts my packet three times by using node A, B, C's public keys and decrypts it when it arrives to each node. So when it arrives to the node C, it will be decrypted entirely by node C's private key. And the node C transfer my packet to the node Z without encryption, right?

Caleb King
Caleb King

Nice to see the blackpill shills back now that the government shutdown is over. How's the weather in the D.C. area today?

Xavier Rodriguez
Xavier Rodriguez

hurr durr tor is for CP
/reddit/index.html

Kayden White
Kayden White

Between the node C and node Z, there might not be encryption.

Oliver Peterson
Oliver Peterson

You are either confusing the data encryption with the routing path encryption or making the mistake of applying the clearnet drawings to this case.

Point 0.2 in the spec gitweb.torproject.org/torspec.git/tree/rend-spec-v2.txt describes how the connections are made. When the connections are ready, the data is always encrypted end-to-end. The .onion address itself is derived from the server's public key.

When the traffic arrives to the node C, the only thing that will be decrypted entirely by node C's private key is encrypted by B and says: "Hey C, I have some <encrypted traffic> for you, sent it to Z please."

Christian Howard
Christian Howard

False!
Connection between 2 relays is always encrypted.

Matthew Hughes
Matthew Hughes

3g2upl4pq6kufc4m.onion/?q=ip&ia=answer
duckduckgo.com/?q=ip&ia=answer
Your IP address is unavailable.
How did Tor achieve this?

It's the default Tor Browser search engine.

Isaiah Thomas
Isaiah Thomas

Thanks for the explanation. However, isn't the X.509 certificate trading off better security for slightly worse privacy? After all, the point of Tor is to guarantee anonymity.

Attached: 1526319758298.jpg (196.04 KB, 1059x1324)

Cooper Roberts
Cooper Roberts

shes so cute

Attached: tfwnogf.jpg (40.19 KB, 800x800)

Nathaniel Walker
Nathaniel Walker

You can be your own certificate authority, set the OCSP url to another .onion domain...

Tor doesn't guarantee anything, the anonymity Tor provides is probabilistic. It is based on the amount of well behaving nodes and the number of Tor users.

Charles Long
Charles Long

and the amount of tor users
Not even that as if everyone was a tor user then everyone's traffic would get decrypted at the third hop to be sent onward and in the hop from the third node of each side of the traffic the data could be copied. Tor just makes it harder to sort all the data as you get duplicates at multiple locations that have more encryption applied.

Noah Moore
Noah Moore

Are you recommending you should instead grab it from the clearweb?

Brayden Gutierrez
Brayden Gutierrez

So .onion address doesn't need TLS certificate (https). Because between you and the hidden server, the all traffic is encrypted.

Luke Baker
Luke Baker

that is 100% thot material and you are ruining this board with your beta retardation.

Adam Butler
Adam Butler

SHOW PROOF NEGRO. THEN TALK. MOTHERFUCK.

Parker Garcia
Parker Garcia

I also wanna rape my mom!

Jaxon Powell
Jaxon Powell

congrats, you just got owned

Robert Clark
Robert Clark

Maybe is of the same race as her.
Instead just tell him to kill himself next time.

Jose Diaz
Jose Diaz

Certs have a time frame in which they're valid.
Are you sure it's not just your PC clock that's wrongly configured, retard?

Julian Brooks
Julian Brooks

The traffic between a hidden service and a client is end to end encrypted. Client validates the encryption handshake by hidden service's .onion address, which is a hashed and then shortened form of hidden service's private key.

Version 3 hidden services are more private and secure than v2 ones as a result of upgraded encryption algorithms and changing how they announce themselves to hidden directory servers (HSDirs). Some websites may mix clearnet and .onion connections (Zig Forums for example) therefore nullifying any privacy and security advantage its hidden service might offer.

For comparison, here are cock.li's hidden service addresses:
version 2: cockmailwwfvrtqj.onion/
version 3: xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion/

Liam Kelly
Liam Kelly

There's no need to insult and my system's clock is fine.

Firefox complains that the cert does not apply to the archive.fo domain (SSL_ERROR_BAD_CERT_DOMAIN), only for specific unrelated domains (ssl503537.cloudflaressl.com, *.digitalocean.com, digitalocean.com).

The HTTP status code 403 is returned by the Cloudflare server used by archive.fo.

Josiah Sullivan
Josiah Sullivan

If you set your DNS as 1.1.1.1 (CloudFlare), you will meet any errors. 8.8.8.8. (Google) or anything is okay.

archive.is (archive.fo) has problem with 1.1.1.1 DNS.

Liam Moore
Liam Moore

Cock.li E-mail Hosting

cock.li/

cockmailwwfvrtqj.onion/

xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion/

Lucas Reyes
Lucas Reyes

So that site MUST move to CloudDNS, a cuckflare alternative.

Josiah Edwards
Josiah Edwards

One possible argument unmentioned so far is defense in depth.

If Tor was compromised, at least there is one more layer of encryption between you and the server. One more layer of shit for an adversary recording all traffic for later decryption to deal with, one more thorn that might juts keep you out of trouble for longer.

Likewise, for TLS in HTTPS.

But significantly more useful for browsing clearnet through Tor than onion sites on Tor.

Owen Watson
Owen Watson

Similar to how virtual machines were supposed to protect us from exploits with a nation-state adversary origin? We all saw how that went. Putting yet another layer of abstraction on top protects no one. It won't matter how many proxies you are behind or how many TLS tunnels you wrap around your traffic when public key encryption algorithms that ensure the safe data transit between nodes gets compromised.

All we need is a new public key encryption algorithm that can withstand quantum cryptanalysis.

Dylan Taylor
Dylan Taylor

From a security standpoint it doesn't give you better traffic encryption or anything but what it can do is help prove the the onion URL you are using is actually duckduckgo and not a rogue actor pretending to be duckduckgo.

For onion-only sites this isnt beneficial

Cameron Harris
Cameron Harris

you are a naive fool.
the more layers the better.

Brayden Perez
Brayden Perez

Good luck, I'm behind 7 proxies

Camden Nelson
Camden Nelson

But the certificate only proves that whoever requested it could provide valid data that says they own the domain. That alone does not tell you much about the legitimacy of the site.

DuckDuckGo, Facebook, etc. use an Extended Validation (EV) certificate instead of an Origin Validation (OV) or Domain Validation (DV) one, which are only good in theory: scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/

Grayson Fisher
Grayson Fisher

Origin Validation
*Organization Validation

Daniel Lewis
Daniel Lewis

There is no anonymity if I, as a web master, use an EV certificate.

Oliver White
Oliver White

because when you leave the tor network you are on the clearnet. so at that point you can connect to HTTPS sites just like normal. You just can't connect to .onion sites via SSL because they don't work that way and because it's redundant anyway. it's already encrypted.

Camden Bailey
Camden Bailey

You just can't connect to .onion sites via SSL
Yes you can.
it's redundant anyway
Correct. It only adds security against people bruteforcing a whole entire onion address which is invesable. The more likely case of your site getting hijacked is them stealing your private ey for the hidden service. If they are able to do that, they are also able to steal the private key for your certificate.

Zachary Brown
Zachary Brown

Every new certificate today is public due to CT.

Jacob Wright
Jacob Wright

HAPAS ARE SUPERIOR TO WHITES
The first point that you need to note is that Whites were historically a great civilization. I don't deny that, after all, they controlled over 3/4 of the world at some point.
The second point that you need to note is that Asians are autistic bug-people with no empathy. No empathy = less societal progress since they let people die randomly despite their worth to society.
The third point that you need to acknowledge is that white people have lost any and all traits which made them a powerful and superior race. You NEET-Sock larpers take achievements from the last great men in NS Germany and attempt to make them your own. You haven't done shit. White people are 100% jew controlled, and this isn't because the jew is particularly powerful. This is because white people are emotionally weak. Why? Whites have been undergoing severe devolution over the past 100 years. The two jew-induced world wars killed off entire generations of strong, brave white men, and this has KILLED THE WHITE RACE. You pathetic Nig-Sock larpers need to understand this. There's no coming back from this.
White people are weak and pathetic. They have lost 100% of what made them great through a jewish dysgenics program, and while this is unfortunate, it is also irreversible. So forget about it.
Hapas, more specifically White/Asian hapas, are the new ubermensch, so to speak. We are superior to both whites and asians since the properties of both races are polar opposites, yet meet in the middle to form an optimal combination. Whites are too cucked and have too much empathy, so much so that they feel excessive empathy to subhuman races like niggers, jews and arabs.
On the opposite side of the scale, asians have too little empathy, being perfectly content to watch their fellow countrymen run over by trucks, poisoned by fake food products, gassed by the very air in their cities, and executed by their own government for petty reasons.
These two qualities are, as I mentioned, polar opposites, and neither are beneficial to the well-being of society. Hapas possess something in the middle of these polar opposites. We are much more racist than white people. And at the same time, we have empathy towards each other. Our women are far less slutty than white roasties, contrary to /poo/ disinformation - white men prefer white or asian women, not hapas. I know this not only due to theoretical knowledge but due to actual life experience talking to others of my own kind. We only require the tiniest push to fully support anti-nigger, anti-shitskin and anti-kike ideology, whereas whites never go all the way. Whites can only become magakikes, or anti-illegal-immigrants at the ABSOLUTE best.
Hapas are small in number at the moment but with further degeneration of the white race, racemixing between whites and asians will become more frequent. Hapas will rise from the ashes of the white race and inherit the world.
It is often stated by Nig-Socks that racemixing is evil and bad because "the product of racemixing contains neither of the desirable qualities of the two parent races". This may be true under ideal conditions, but Whites and Asians don't have any desirable qualities by themselves. The races have been degenerated by decades of communist (i.e. jewish) dysgenics (in the case of asians) or decades of war-induced jewish dysgenics (in the case of whites). As such, the ordinary /pol/ theory no longer applies. Neither of the parent races, whites or asians, actually are suited to their environment. They also happen to have polar opposite qualities, which conflict with the goal of societal stability. This is why hapas are not inferior, but superior to both races.
Note that what I said only applies to White/Asian hapas. Any mixtures containing shitskin or nigger genetics is just as bad as the shitskin or nigger genetics would be by themselves, since shitskins and niggers were never a part of great civilization.

Aiden Rogers
Aiden Rogers

TLS
did you mean ssl op?

Isaiah Mitchell
Isaiah Mitchell

can someone explain how a hidden service works? all i know is the standard 5-step flow.

Adam Phillips
Adam Phillips

OpenSSL can come with vulnerabilities but so can Tor so you gotta decide for yourself.

Old tor encryption was pretty weak, I think they fixed that with v3 protocol so imho now using SSL just increases traffic and attack surface for server and client.

Jaxon Jenkins
Jaxon Jenkins

I suppose it adds yet another layer of encryption.
Like, your message to an .onion service is already encrypted by itself, and even on the wire/loopback interface there will be only TLS traffic.
It should be noted that your message hits Tor network encrypted provided you use your Tor client on the localhost or trusted network. Tor client communicates with a first node via an encrypted channel.
It wasn't obvious from that post.

Jayden Hughes
Jayden Hughes

is already encrypted by itself
or rather, BECOMES encrypted by itself with more TLS onto it

Jaxson Robinson
Jaxson Robinson

or rather, BECOMES encrypted
no, as said, tor hidden services are end-to-end encrypted.

Elijah Morgan
Elijah Morgan

All communications within Tor are encrypted.
What I was saying was that you could theoretically have Tor client not on 127.0.0.1 (as it works like Socks proxy for programs) and communications to THAT would not be encrypted. With additional TLS layer though, it would become encrypted regardless. Not that you should rely on it if you don't trust the network you're going to use to reach the Tor client though. TLS1.2 leaks SNI and shiet.

William Edwards
William Edwards

DuckDuckGo, Facebook, etc. use an Extended Validation (EV) certificate instead of an Origin Validation (OV) or Domain Validation (DV) one, which are only good in theory: scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/
No, they're not even good in theory.

Parker Gomez
Parker Gomez

The tor client encrypts the message 3 times with the private keys of the three nodes its going to rout through. The first node unwraps the first layer of encryption, so it knows who is sending the message but it can't read the message. The second node can only see the first node sending and doesn't know who is sending the message or what the message is. The last node peals off the last layer of encryption and prepares to send it to the clear net server. It can read the message but doesn't know who its from. Technically if all three of the nodes were monitored, or owned by the same entity the message could be correlated by size.

Grayson Barnes
Grayson Barnes

if you want to watch youtube with javascript disable, use invidio.us
also invidio has an onion link
kgg2m7yk5aybusll.onion/

YOUTUBE ON ONION BITCHES

Asher Baker
Asher Baker

its good if you are really paranoid and think that the cianiggers have a way to see the traffic that goes to the service. tho you have to use self signed certs then not something thats signed by someone else

Liam Russell
Liam Russell

Wouldn't streaming load abuse the TOR network?

Dominic Wilson
Dominic Wilson

if all three of the nodes were monitored, or owned by the same entity the message could be correlated by size.
It's not always three nodes and if all nodes are owned by the same entity then it can see the entire path and doesn't have to do any size-based guessing.

DuckDuckGo, Facebook, etc. use an Extended Validation (EV) certificate instead of an Origin Validation (OV) or Domain Validation (DV) one, which are only good in theory: scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/
No, they're not even good in theory.
What are you guys talking about?

Your shitty cloudflare encumbered website says:
The EV certificate on yell.com was displaying the name of the company that owned them for a long time which is Hibu (UK) Ltd. and not something like Yell (UK) Ltd. as you might expect.
LOL. You're retarded.

Jace Young
Jace Young

Also there are browser extensions that show a warning when a website's certificate changed so that can help detect MITM attacks or hijacked v2 onion addresses even with selfsigned ssl certs. Including on Tor.

Cooper Gray
Cooper Gray

its 720p 60fps i doubt its much, like 400 kbit

Jose Morris
Jose Morris

30 fps*
its in webm format

Leo Kelly
Leo Kelly

Reminder that if you intend to watch the entire episode it's usually better to youtube-dl it.
Supports tor too and if you download into a tmpfs it doesn't wear down your hard drive.

And if it contains some rare shit that you want to save from censorship you won't have to redownload the data, putting unnecessary strain on tor.
Video streaming creates a shitton of traffic.
#!/bin/sh
youtube-dl --proxy socks5://127.0.0.1:9050/ --hls-prefer-native $*

Adam King
Adam King

s/episode/video/

Brandon Thomas
Brandon Thomas

ANYONE can produce a valid cert

Jack Harris
Jack Harris

valid = accepted by browsers

Colton Jenkins
Colton Jenkins

having those annoying warnings for self signed certs is just another jewish trick. its not like any normie ever checks if the cert is really right and theres rarely any way to do that because no one tells the information thats needed for it

Kevin Moore
Kevin Moore

HAPAS ARE SUPERIOR TO WHITES

Kevin Morris
Kevin Morris

It pisses me off to no end when idiots like you pretend to know what they're talking about in Zig Forums. If you don't know, it's fine, but don't go pretending you do and spread false information, just shut the fuck up.

OP was talking about hidden services (hence ".onion URLs"), what you described was merely using Tor as a proxy to the clearnet, hidden services do not work like that.

Justin Parker
Justin Parker

HAPAS ARE SUPERIOR TO WHITES

Jeremiah Hughes
Jeremiah Hughes

Yikes. Where did all this misogyny come from?

Ryan Hernandez
Ryan Hernandez

I love Donald Trump! Heil Israel MIGA 2020!!!

James Adams
James Adams

Where are all these shills coming from?

Luke Parker
Luke Parker

Whatcha sliding mordecai?

Leo Bailey
Leo Bailey

I don't know what I'm talking about but
HAPAS ARE INFERIOR TO WHITES

Levi Lewis
Levi Lewis

Fuck off moshe.

Thomas Lee
Thomas Lee

Looks like some Soros-funded controlled opposition to me.

Jack Jackson
Jack Jackson

LOL, I wish I thought of doing that!

Sebastian Bell
Sebastian Bell

DAILY REMINDER THAT THE MODS ARE COMPROMISED MOSSAD/CIA SHILLS

Ian Bennett
Ian Bennett

I smell rats.