Hacker News new | past | comments | ask | show | jobs | submit login

Although there's a risk to using onion directories, since you have to trust that the hash they give you for the New York Times for example, is actually the real hash. It's easier to spoof onion hashes than domain names since domain names are more well known. You'd hopefully catch that you're connecting to nytim3s.com, not so much nytimes3xbfgra3h.onion.



EV certs can help with this to some extent. For example, the New York Times is using an EV cert with the organization name "The New York Times Company" for their hidden service. So as long as you trust the CA system, you can be certain that you're talking to a server operated by The New York Times, and not just a copycat.


Yes, but EV isn't that common on Tor. How would I distinguish Dread Pirate Roberts' Silk Road from FBI's Silk Road in a Tor online directory?


Well, obviously EV is less useful [0] for services where the host’s anonymity is a key part of the reason the server is on Tor.

But for services on Tor that are fine with being identified but who wish there users to be opaque to third parties it seems to have some value.

[0] without a radically different CA infrastructure which has no chance of getting preloaded into browsers.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: