On 3 April 2017 at 16:59, Ian Goldberg iang@cs.uwaterloo.ca wrote:
How about this, though: I know that Tor doesn't want to be in the business
of site reputation, but what if (eg) Protonmail offers a Onion "Safe Browsing" extension some day, of known-bad Onions for malware reasons?
That's a quite good motivating example, thanks!
#Yay; I'm also thinking of other plugins (in the cleartext world, HTTPSEverywhere is the best example) which provide value to the user by mechanically mutating URIs which match some canonical DNS domain name; because Onion addresses are more like Layer-2 addresses*, development of similar plugins benefits greatly from enforced "canonicality" (sp?) than is necessary for equally-functional DNS equivalents; there is no means to "group" three disparate Onion addresses together just-because they are all owned by (say: Facebook), and if each address has 8 possible representations then that's 24 rules to match against...
There's quite a gulf between stripping hyphens from a candidate onion
address and doing strcmp(), versus either drilling into the candidate address to compute the alternative forms to check against the blacklist,
or
even requiring the blacklist to be 8x larger?
Yes, that's true. I'm definitely in favour of the "multiply by L (the order of the group) and check that you get the identity element; error with 'malformed address' if you don't" to get rid of the torsion point problem.
I heard that and AMS and it sounds a fabulous idea, although I am still too much of an EC noob to appreciate it fully. :-)
If the daily descriptor uploaded to the point
Hash(onionaddr, dailyrand) contained Hash(onionaddr, dailyrand) *in* it (and is signed by the master onion privkey, of course), then tor could/should check that it reached that location through the "right" onion address.
That sounds great, and I think it sounds an appropriate response, but again I am a Prop224 and EC noob. :-)
I would like, for two paragraph, to go entirely off-piste and ask a possibly irrelevant and probably wrong-headed question:
/* BEGIN PROBABLY WRONG SECTION */ I view Onions as Layer-2 addresses, and one popular attack on Ethernet Layer 2 is ARP-spoofing. Imagine $STATE_ACTOR exfiltrates the private key material from $ONIONSITE and wants to silently and partially MITM the existing site without wholesale owning or tampering with it. Can they make any benefit from multiple ("hardware MAC-address") keys colliding to one address? Is there any greater benefit to $STATE_ACTOR from this than (say) publishing lots of fake/extra introduction points for $ONIONSITE and using those to interpose themselves into communications? /* END PROBABLY WRONG SECTION */
I'm afraid the details of what's in that daily descriptor are not in my
brain at the moment. Does it contain its own (daily blinded) name under the signature?
<punt/> George?
-a
-- * Layer-2 analogy: https://twitter.com/AlecMuffett/status/802161730591793152