Isn't SSL on .onion domains redundant? It makes sense for onion -> open web, but shouldn't onion -> onion connections be already both authenticated and encrypted?
I'm not too knowledgable about Tor, but I'd imagine there's a benefit to well-known CAs issuing certificates that are trusted by existing browser infrastructure. As far as I gather, Tor authentication merely verifies that the owner of the server you're connecting to also has ownership over the .onion domain, not necessarily that that owner is who they say they are.
Granted, I'm not sure the HTTPS cert infrastructure guarantees that either. I'd love to be more informed about this.
Regular certs are Domain Validated, meaning the CA only verified that you do, in fact, own the domain in question.
EV (Extended Validation) certificates actually require the CA to verify that you are who you claim to be. This is mostly used by banks and payment processors, as it costs more money. Most browsers will identify an EV cert by turning the URL bar green, and/or displaying the name of whoever owns the cert.
I think you're right. But I also think this is more important, symbolically. This gives .onion a status which prevents outbacksteakhouse.onion from being plausible, and ensures that "Any domain ending in .onion needs to be routed to Tor" is consistently true.
Somewhat. However there are some marginal benefits such as SSL supporting stronger encryption than what Tor provides, availability of extended validation and the browser being aware of the encryption (secure cookies, same-origin policy, etc.).
I asked the same question and the answer is yes. However, I recalled that hidden services use 1024-bit RSA keys and there's been some question lately as to whether that's enough bits. For some sites/hidden services, (at least) a 2048-bit key may be desired.
I believe the exit node may still be able to view traffic in plaintext. This is part of the reason that running an exit node is so "dangerous" in the US.
edit: Though with a quick Google, I'm led to believe that an exit node is only important when you are leaving the onion network (i.e. when entering into the Internet), and thus it sounds like SSL on a hidden service would indeed be superfluous to me.
However, SSL also proves authenticity, not just encryption. It would let you know that the hidden service you are accessing is indeed who you think it is.
However, SSL also proves authenticity, not just encryption. It would let you know that the hidden service you are accessing is indeed who you think it is.
So do .onion address; they are an hash of the key pair you get when you generate a new one, and the client verifies that the server it's connecting to does in fact control the associated private key.
By abdicating readable domains, the Tor hidden services system eliminates the need for external authentication mechanisms like CAs; the address is all you need.
Assuming a .onion's key were to be bruteforced or stolen however, you would also need to steal the SSL private key in order to continue to appear authentic.
I'm not saying Tor doesn't cover authenticity, but that SSL provides an additional authenticity check on top of that.
edit: On the topic of bruteforcing, the linked Stack Overflow post leads me to believe it's not terribly infeasible.
Additionally, stealing the .onion's key would likely expose the SSL private key as well (as you'd likely have access to the server at that point), unless the .onion's key is exposed due to misconfiguration or another form of human error.
I also think, lastly, that the point about the browser understanding its dealing with a secure connection and enforcing general browser SSL rules has merit.
So a million cores still takes years. What would you consider infeasible, may I ask?
Also, you're wrong about bruteforcing the domain implying you can decrypt if not for ssl. If you bruteforce (for millions or billions), you won't get the same key. You'll get a key that shares the first 80 bits of its hash with the other key used. So you can use it to mitm or impersonate the site, but you can't use it passively to decrypt connections to the onion.
That's onion -> web. If you are connecting to onion address, your packets do not enter plain text internet. Unless you are using some sort of "enter node".
Granted, I'm not sure the HTTPS cert infrastructure guarantees that either. I'd love to be more informed about this.