16:45
-
17:05
-
17:05
Tag 2
Self-Authenticating TLS Certificates for Tor Onion Services
TLS (the security layer behind HTTPS) and Tor onion services (anonymously hosted TCP services) are both excellent protocols. Wouldn't it be nice if we could use them together? In this talk, I'll cover a working implementation of combining TLS with onion services, without compromising on the security properties that each provides.
Speaker: Jeremy Rand
Topics to be covered include:
- Why would you want to combine TLS with onion services? Why isn't onion service encryption good enough?
- Why isn't unauthenticated TLS (e.g. self-signed certificates) good enough for onion services?
- How can we authenticate a TLS certificate for a
.onion
domain without relying on public CA's like Let's Encrypt or any other trusted third parties? (No we're not using a blockchain.) - How can we teach standard (unmodified) web browsers like Firefox to apply different certificate validation logic for
.onion
certificates? - How can we teach standard (unmodified) web browsers like Firefox to validate certificates using typically-unsupported elliptic curves like Ed25519 (which Tor uses)?
- How is teaching standard (unmodified) web browsers like Firefox to validate
.onion
certificates similar to Namecoin .bit certificates? How is it different?