DuckDuckGo as an example: 3g2upl4pq6kufc4m.onion
What is the impact of using TLS on an .onion URL like this? Is it redundant? And/or is it counterproductive?
.onion URLs and HTTPS certificates
Christian Thomas
Other urls found in this thread:
archive.fo
security.stackexchange.com
gitweb.torproject.org
3g2upl4pq6kufc4m.onion
duckduckgo.com
cockmailwwfvrtqj.onion
xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion
cock.li
scotthelme.co.uk
kgg2m7yk5aybusll.onion
twitter.com
Jack Peterson
Why would you use that?
No.
Hack, no.
James Reyes
It's not that encryption is counterproductive, but rather that Tor domains (.onion) are already encrypted by default within the Tor network itself. What is the benefit of HTTPS in this case? EV certificates are a sham so that can't be it.
Tyler Kelly
There is no need to get TLS certificate when it comes to .onion addresses because Tor already encrypts your packet.
Caleb Brooks
Because of how tor works, like an onion archive.fo
It goes
So by adding TLS to the mix your plaintext at node3 and between node3 and destination becomes encrypted. Otherwise a rouge exit node could collect all your information or modify it as it travels between you and your destination, using hidden services or non hidden services. So it is a ok way to insure that exit node 3 doesn't get at your plaintext. The only problem is using TLS/SSL is shit because you trust a third party to assure the encryption. Something like SSH would be better for encrypting the packets as then you get access to the whole standard openssl/libre/etc library for encryption and whatnot along with not having a third party that can decrypt the packets. The only person decrypting it is your destination and yourself idealy. There's a whole slew of other problems to account for but this is the gist of why to encrypt.
Its like a vpn, your traffic to the vpn is encrypted but when it arrives the vpn sends it to your destination and sees the packets, encrypted by you or not, then sending them to the destination. If you used http the distance between the vpn and the destination can see the http traffic including the vpn who decrypted it when you sent it using a vpn client. Just like with tor.
Jack Carter
That archive.fo URL has a bad cert, but, even after accepting it, it returns HTTP status code 403.
Samuel James
Why can a Tor exit node decrypt data, but not the entry node?
2013-05-28
Me -> Node A -> Node B -> Node C -> destination
Brayden Campbell
It does. Read more about how onion routing works.
Thomas Wright
maybe they dont trust the encryption. seems like only big companies like facebook can get valid certs tho
John Myers
...
Jackson Gutierrez
He's asking about a hidden service, brainlet.
Luis Jackson
.onion addresses can't provide authenticity. If your private key is stolen, you have to generate a new .onion address and somehow tell the people to not use the old one.
X.509 certificates (TLS certificates) are revocable and can be chained. The issuer can store the private keys offline on cold storage, and can notice you if something went wrong.
Don't spread false information please. There is no exit node. OP asked explicitly about .onion URLs.
Jaxon Wilson
What is the point of using tor in current year when the NSA control most nodes and can see what you are connecting to?
John Smith
free DNS, crypto, hiding of your IP from 666 Gb/s upnp floods, and SEO pessimization.
Joseph White
and free CP
Juan Campbell
Me node A node B node C node Z node Y node X hidden web server
I and the node C's communication is encrypted. And the hidden web server and the node Z's communication is encrypted. But isn't the node C and node Z's communication encrypted? Because Tor encrypts my packet three times by using node A, B, C's public keys and decrypts it when it arrives to each node. So when it arrives to the node C, it will be decrypted entirely by node C's private key. And the node C transfer my packet to the node Z without encryption, right?
Caleb King
Nice to see the blackpill shills back now that the government shutdown is over. How's the weather in the D.C. area today?
Xavier Rodriguez
>>>/reddit/
Kayden White
Between the node C and node Z, there might not be encryption.
Oliver Peterson
You are either confusing the data encryption with the routing path encryption or making the mistake of applying the clearnet drawings to this case.
Point 0.2 in the spec gitweb.torproject.org
When the traffic arrives to the node C, the only thing that will be decrypted entirely by node C's private key is encrypted by B and says: "Hey C, I have some for you, sent it to Z please."
Christian Howard
False!
Connection between 2 relays is always encrypted.
Matthew Hughes
3g2upl4pq6kufc4m.onion
duckduckgo.com
How did Tor achieve this?
It's the default Tor Browser search engine.
Isaiah Thomas
Thanks for the explanation. However, isn't the X.509 certificate trading off better security for slightly worse privacy? After all, the point of Tor is to guarantee anonymity.
Cooper Roberts
shes so cute
Nathaniel Walker
You can be your own certificate authority, set the OCSP url to another .onion domain...
Tor doesn't guarantee anything, the anonymity Tor provides is probabilistic. It is based on the amount of well behaving nodes and the number of Tor users.
Charles Long
Not even that as if everyone was a tor user then everyone's traffic would get decrypted at the third hop to be sent onward and in the hop from the third node of each side of the traffic the data could be copied. Tor just makes it harder to sort all the data as you get duplicates at multiple locations that have more encryption applied.
Noah Moore
Are you recommending you should instead grab it from the clearweb?
Brayden Gutierrez
So .onion address doesn't need TLS certificate (https). Because between you and the hidden server, the all traffic is encrypted.
Luke Baker
that is 100% thot material and you are ruining this board with your beta retardation.
Adam Butler
SHOW PROOF NEGRO. THEN TALK. MOTHERFUCK.
Parker Garcia
I also wanna rape my mom!
Jaxon Powell
congrats, you just got owned
Robert Clark
Maybe is of the same race as her.
Instead just tell him to kill himself next time.
Jose Diaz
Certs have a time frame in which they're valid.
Are you sure it's not just your PC clock that's wrongly configured, retard?
Julian Brooks
The traffic between a hidden service and a client is end to end encrypted. Client validates the encryption handshake by hidden service's .onion address, which is a hashed and then shortened form of hidden service's private key.
Version 3 hidden services are more private and secure than v2 ones as a result of upgraded encryption algorithms and changing how they announce themselves to hidden directory servers (HSDirs). Some websites may mix clearnet and .onion connections (Zig Forums for example) therefore nullifying any privacy and security advantage its hidden service might offer.
For comparison, here are cock.li's hidden service addresses:
version 2: cockmailwwfvrtqj.onion
version 3: xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion
Liam Kelly
There's no need to insult and my system's clock is fine.
Firefox complains that the cert does not apply to the archive.fo domain (SSL_ERROR_BAD_CERT_DOMAIN), only for specific unrelated domains (ssl503537.cloudflaressl.com, *.digitalocean.com, digitalocean.com).
The HTTP status code 403 is returned by the Cloudflare server used by archive.fo.
Josiah Sullivan
If you set your DNS as 1.1.1.1 (CloudFlare), you will meet any errors. 8.8.8.8. (Google) or anything is okay.
archive.is (archive.fo) has problem with 1.1.1.1 DNS.
Liam Moore
Lucas Reyes
So that site MUST move to CloudDNS, a cuckflare alternative.
Josiah Edwards
One possible argument unmentioned so far is defense in depth.
If Tor was compromised, at least there is one more layer of encryption between you and the server. One more layer of shit for an adversary recording all traffic for later decryption to deal with, one more thorn that might juts keep you out of trouble for longer.
Likewise, for TLS in HTTPS.
But significantly more useful for browsing clearnet through Tor than onion sites on Tor.
Owen Watson
Similar to how virtual machines were supposed to protect us from exploits with a nation-state adversary origin? We all saw how that went. Putting yet another layer of abstraction on top protects no one. It won't matter how many proxies you are behind or how many TLS tunnels you wrap around your traffic when public key encryption algorithms that ensure the safe data transit between nodes gets compromised.
All we need is a new public key encryption algorithm that can withstand quantum cryptanalysis.
Dylan Taylor
From a security standpoint it doesn't give you better traffic encryption or anything but what it can do is help prove the the onion URL you are using is actually duckduckgo and not a rogue actor pretending to be duckduckgo.
For onion-only sites this isnt beneficial
Cameron Harris
you are a naive fool.
the more layers the better.
Brayden Perez
Good luck, I'm behind 7 proxies
Camden Nelson
But the certificate only proves that whoever requested it could provide valid data that says they own the domain. That alone does not tell you much about the legitimacy of the site.
DuckDuckGo, Facebook, etc. use an Extended Validation (EV) certificate instead of an Origin Validation (OV) or Domain Validation (DV) one, which are only good in theory: scotthelme.co.uk
Grayson Fisher
*Organization Validation
Daniel Lewis
There is no anonymity if I, as a web master, use an EV certificate.
Oliver White
because when you leave the tor network you are on the clearnet. so at that point you can connect to HTTPS sites just like normal. You just can't connect to .onion sites via SSL because they don't work that way and because it's redundant anyway. it's already encrypted.
Camden Bailey
Yes you can.
Correct. It only adds security against people bruteforcing a whole entire onion address which is invesable. The more likely case of your site getting hijacked is them stealing your private ey for the hidden service. If they are able to do that, they are also able to steal the private key for your certificate.
Zachary Brown
Every new certificate today is public due to CT.
Jacob Wright
HAPAS ARE SUPERIOR TO WHITES
The first point that you need to note is that Whites were historically a great civilization. I don't deny that, after all, they controlled over 3/4 of the world at some point.
The second point that you need to note is that Asians are autistic bug-people with no empathy. No empathy = less societal progress since they let people die randomly despite their worth to society.
The third point that you need to acknowledge is that white people have lost any and all traits which made them a powerful and superior race. You NEET-Sock larpers take achievements from the last great men in NS Germany and attempt to make them your own. You haven't done shit. White people are 100% jew controlled, and this isn't because the jew is particularly powerful. This is because white people are emotionally weak. Why? Whites have been undergoing severe devolution over the past 100 years. The two jew-induced world wars killed off entire generations of strong, brave white men, and this has KILLED THE WHITE RACE. You pathetic Nig-Sock larpers need to understand this. There's no coming back from this.
White people are weak and pathetic. They have lost 100% of what made them great through a jewish dysgenics program, and while this is unfortunate, it is also irreversible. So forget about it.
Hapas, more specifically White/Asian hapas, are the new ubermensch, so to speak. We are superior to both whites and asians since the properties of both races are polar opposites, yet meet in the middle to form an optimal combination. Whites are too cucked and have too much empathy, so much so that they feel excessive empathy to subhuman races like niggers, jews and arabs.
On the opposite side of the scale, asians have too little empathy, being perfectly content to watch their fellow countrymen run over by trucks, poisoned by fake food products, gassed by the very air in their cities, and executed by their own government for petty reasons.
These two qualities are, as I mentioned, polar opposites, and neither are beneficial to the well-being of society. Hapas possess something in the middle of these polar opposites. We are much more racist than white people. And at the same time, we have empathy towards each other. Our women are far less slutty than white roasties, contrary to /poo/ disinformation - white men prefer white or asian women, not hapas. I know this not only due to theoretical knowledge but due to actual life experience talking to others of my own kind. We only require the tiniest push to fully support anti-nigger, anti-shitskin and anti-kike ideology, whereas whites never go all the way. Whites can only become magakikes, or anti-illegal-immigrants at the ABSOLUTE best.
Hapas are small in number at the moment but with further degeneration of the white race, racemixing between whites and asians will become more frequent. Hapas will rise from the ashes of the white race and inherit the world.
It is often stated by Nig-Socks that racemixing is evil and bad because "the product of racemixing contains neither of the desirable qualities of the two parent races". This may be true under ideal conditions, but Whites and Asians don't have any desirable qualities by themselves. The races have been degenerated by decades of communist (i.e. jewish) dysgenics (in the case of asians) or decades of war-induced jewish dysgenics (in the case of whites). As such, the ordinary Zig Forums theory no longer applies. Neither of the parent races, whites or asians, actually are suited to their environment. They also happen to have polar opposite qualities, which conflict with the goal of societal stability. This is why hapas are not inferior, but superior to both races.
Note that what I said only applies to White/Asian hapas. Any mixtures containing shitskin or nigger genetics is just as bad as the shitskin or nigger genetics would be by themselves, since shitskins and niggers were never a part of great civilization.
Aiden Rogers
did you mean ssl op?
Isaiah Mitchell
can someone explain how a hidden service works? all i know is the standard 5-step flow.
Adam Phillips
OpenSSL can come with vulnerabilities but so can Tor so you gotta decide for yourself.
Old tor encryption was pretty weak, I think they fixed that with v3 protocol so imho now using SSL just increases traffic and attack surface for server and client.
Jaxon Jenkins
I suppose it adds yet another layer of encryption.
Like, your message to an .onion service is already encrypted by itself, and even on the wire/loopback interface there will be only TLS traffic.
It should be noted that your message hits Tor network encrypted provided you use your Tor client on the localhost or trusted network. Tor client communicates with a first node via an encrypted channel.
It wasn't obvious from that post.
Jayden Hughes
or rather, BECOMES encrypted by itself with more TLS onto it
Jaxson Robinson
no, as said, tor hidden services are end-to-end encrypted.
Elijah Morgan
All communications within Tor are encrypted.
What I was saying was that you could theoretically have Tor client not on 127.0.0.1 (as it works like Socks proxy for programs) and communications to THAT would not be encrypted. With additional TLS layer though, it would become encrypted regardless. Not that you should rely on it if you don't trust the network you're going to use to reach the Tor client though. TLS1.2 leaks SNI and shiet.
William Edwards
>DuckDuckGo, Facebook, etc. use an Extended Validation (EV) certificate instead of an Origin Validation (OV) or Domain Validation (DV) one, which are only good in theory: scotthelme.co.uk
No, they're not even good in theory.
Parker Gomez
The tor client encrypts the message 3 times with the private keys of the three nodes its going to rout through. The first node unwraps the first layer of encryption, so it knows who is sending the message but it can't read the message. The second node can only see the first node sending and doesn't know who is sending the message or what the message is. The last node peals off the last layer of encryption and prepares to send it to the clear net server. It can read the message but doesn't know who its from. Technically if all three of the nodes were monitored, or owned by the same entity the message could be correlated by size.
Grayson Barnes
if you want to watch youtube with javascript disable, use invidio.us
also invidio has an onion link
kgg2m7yk5aybusll.onion
YOUTUBE ON ONION BITCHES
Asher Baker
its good if you are really paranoid and think that the cianiggers have a way to see the traffic that goes to the service. tho you have to use self signed certs then not something thats signed by someone else
Liam Russell
Wouldn't streaming load abuse the TOR network?
Dominic Wilson
It's not always three nodes and if all nodes are owned by the same entity then it can see the entire path and doesn't have to do any size-based guessing.
>>DuckDuckGo, Facebook, etc. use an Extended Validation (EV) certificate instead of an Origin Validation (OV) or Domain Validation (DV) one, which are only good in theory: scotthelme.co.uk
What are you guys talking about?
Your shitty cloudflare encumbered website says:
LOL. You're retarded.
Jace Young
Also there are browser extensions that show a warning when a website's certificate changed so that can help detect MITM attacks or hijacked v2 onion addresses even with selfsigned ssl certs. Including on Tor.
Cooper Gray
its 720p 60fps i doubt its much, like 400 kbit
Jose Morris
30 fps*
its in webm format
Leo Kelly
Reminder that if you intend to watch the entire episode it's usually better to youtube-dl it.
Supports tor too and if you download into a tmpfs it doesn't wear down your hard drive.
And if it contains some rare shit that you want to save from censorship you won't have to redownload the data, putting unnecessary strain on tor.
Video streaming creates a shitton of traffic.
#!/bin/shyoutube-dl --proxy socks5://127.0.0.1:9050/ --hls-prefer-native $*
Adam King
s/episode/video/
Brandon Thomas
ANYONE can produce a valid cert
Jack Harris
valid = accepted by browsers
Colton Jenkins
having those annoying warnings for self signed certs is just another jewish trick. its not like any normie ever checks if the cert is really right and theres rarely any way to do that because no one tells the information thats needed for it
Kevin Moore
HAPAS ARE SUPERIOR TO WHITES
Kevin Morris
It pisses me off to no end when idiots like you pretend to know what they're talking about in Zig Forums. If you don't know, it's fine, but don't go pretending you do and spread false information, just shut the fuck up.
OP was talking about hidden services (hence ".onion URLs"), what you described was merely using Tor as a proxy to the clearnet, hidden services do not work like that.
Justin Parker
HAPAS ARE SUPERIOR TO WHITES
Jeremiah Hughes
Yikes. Where did all this misogyny come from?
Ryan Hernandez
I love Donald Trump! Heil Israel MIGA 2020!!!
James Adams
Where are all these shills coming from?
Luke Parker
Whatcha sliding mordecai?
Leo Bailey
I don't know what I'm talking about but
HAPAS ARE INFERIOR TO WHITES
Levi Lewis
Fuck off moshe.
Thomas Lee
Looks like some Soros-funded controlled opposition to me.
Jack Jackson
LOL, I wish I thought of doing that!
Sebastian Bell
DAILY REMINDER THAT THE MODS ARE COMPROMISED MOSSAD/CIA SHILLS
Ian Bennett
I smell rats.