關於 .onion SSL Certificate 的表決 (Tor Network)

關於 .onion 的 SSL Certificate,在 CAB Forum 這邊提出來表決了:「Ballot 144 – Validation rules for .onion names」。

有些時間限制與一般的 SSL Certificate 不太一樣:

CAs MUST NOT issue a Certificate that includes a Domain Name where .onion is in the right-most label of the Domain Name with a validity period longer than 15 months. Despite Section 9.2.1 of the Baseline Requirements deprecating the use of Internal Names, a CA MAY issue a Certificate containing an .onion name with an expiration date later than 1 November 2015 after (and only if) .onion is officially recognized by the IESG as a reserved TLD.

然後:

On or before May 1, 2015, each CA MUST revoke all Certificates issued with the Subject Alternative Name extension or Common Name field that includes a Domain Name where .onion is in the right-most label of the Domain Name unless the Certificate was issued in compliance with this Appendix F.

等投票結束後再來看...

DigiCert 考慮開放 .onion 的 SSL certificate 簽章

前陣子 Facebook 提供 Tor 的 hidden service 時還提供了 SSL certificate,是由 DigiCert 簽的:「Supporting the Anonymous Use of Facebook via Tor」。

而 DigiCert 打算開放給一般人申請 .onion 的 SSL certificate:「DigiCert Considering Certs for Hidden Services」。

這件事情除了在技術的角度很特別外,在政治面的角度也值得被拿出來討論,也就是 DigiCert 承認 .onionTLD

各家搜尋引擎 (像是 GoogleDuckDuckGo) 開始爬 .onion 的資料也應該是遲早的事情?

Facebook 證明 Tor 的 Hidden Service 不安全

Facebook 宣佈了 https://facebookcorewwwi.onion/ 這個 Tor hidden service:「Making Connections to Facebook more Secure」,讓人可以直接在 Tor 的網路裡連上 Facebook。

Facebook 的人用的方法與其他人一樣,是透過 brute force 算出這個 hidden service。

但這也直接證明了 Tor Hidden Service 不安全:(參考這個註解的說明)

If Facebook has the resources to brute force their own full key, then you better believe the NSA and GCHQ do too. Which means that you will no longer know if the hidden service you're connecting to is the real one or the NSA/GCHQ version. Tor hidden services are now dead.

這次未免太精彩了 XDDD

行動平台上的 Tor browser

在「The problem behind mobile TOR browsers' ip disclosure」測了四個行動平台的 Tor 瀏覽器,其中三個是 Android 上的,一個是 iOS 的。

四個瀏覽器測試的結果中,只有 iOS 上的 Onion Browser (要 USD$0.99) 可以在修改設定後達到最低限度「隱藏 real ip」的標準:

作者的建議是不要在行動平台上有太多期望,隱藏 real ip 只是其中一個環節...