|
|
|
|
|
|
by icebraining
3892 days ago
|
|
|
However, SSL also proves authenticity, not just encryption. It would let you know that the hidden service you are accessing is indeed who you think it is. So do .onion address; they are an hash of the key pair you get when you generate a new one, and the client verifies that the server it's connecting to does in fact control the associated private key. By abdicating readable domains, the Tor hidden services system eliminates the need for external authentication mechanisms like CAs; the address is all you need. https://www.torproject.org/docs/hidden-services.html.en |
|
|
I'm not saying Tor doesn't cover authenticity, but that SSL provides an additional authenticity check on top of that.
edit: On the topic of bruteforcing, the linked Stack Overflow post leads me to believe it's not terribly infeasible.
Additionally, stealing the .onion's key would likely expose the SSL private key as well (as you'd likely have access to the server at that point), unless the .onion's key is exposed due to misconfiguration or another form of human error.
I also think, lastly, that the point about the browser understanding its dealing with a secure connection and enforcing general browser SSL rules has merit.
edit 2: Forgot the link - https://security.stackexchange.com/questions/29772/how-do-yo...