/tech/ - Technology★

>DuckDuckGo

>the ultimate jewscript inventor search engine made to datamine you

Why would you use that?

>Is it redundant?

No.

>And/or is it counterproductive?

>encryption

>counterproductive

>ever

Hack, no.

>>1032599

It's not that encryption is counterproductive, but rather that Tor domains (.onion) are already encrypted by default within the Tor network itself. What is the benefit of HTTPS in this case? EV certificates are a sham so that can't be it.

>>1032594 (OP) There is no need to get TLS certificate when it comes to .onion addresses because Tor already encrypts your packet.

>>1032594 (OP)

>point of encrypting a packet

Because of how tor works, like an onion https://archive.fo/yLEap , the packets are in plaintext/however you sent them at the final exit node.

It goes

>you - unencrypted by tor

>tor node1 - encrypted by tor

>tor node2 - encrypted by tor

>tor node3 - decrypted by tor

>destintion unencrypted by tor

So by adding TLS to the mix your plaintext at node3 and between node3 and destination becomes encrypted. Otherwise a rouge exit node could collect all your information or modify it as it travels between you and your destination, using hidden services or non hidden services. So it is a ok way to insure that exit node 3 doesn't get at your plaintext. The only problem is using TLS/SSL is shit because you trust a third party to assure the encryption. Something like SSH would be better for encrypting the packets as then you get access to the whole standard openssl/libre/etc library for encryption and whatnot along with not having a third party that can decrypt the packets. The only person decrypting it is your destination and yourself idealy. There's a whole slew of other problems to account for but this is the gist of why to encrypt.

Its like a vpn, your traffic to the vpn is encrypted but when it arrives the vpn sends it to your destination and sees the packets, encrypted by you or not, then sending them to the destination. If you used http the distance between the vpn and the destination can see the http traffic including the vpn who decrypted it when you sent it using a vpn client. Just like with tor.

>>1032636

That archive.fo URL has a bad cert, but, even after accepting it, it returns HTTP status code 403.

>>1032636

Why can a Tor exit node decrypt data, but not the entry node?

2013-05-28

Me -> Node A -> Node B -> Node C -> destination

https://security.stackexchange.com/questions/36571/why-can-a-tor-exit-node-decrypt-data-but-not-the-entry-node

>>1032657

It does. Read more about how onion routing works.

>>1032618

maybe they dont trust the encryption. seems like only big companies like facebook can get valid certs tho

>>1032657

>exit node

>.onion address

>>1032636

He's asking about a hidden service, brainlet.

>>1032594 (OP)

.onion addresses can't provide authenticity. If your private key is stolen, you have to generate a new .onion address and somehow tell the people to not use the old one.

X.509 certificates (TLS certificates) are revocable and can be chained. The issuer can store the private keys offline on cold storage, and can notice you if something went wrong.

>>1032636

Don't spread false information please. There is no exit node. OP asked explicitly about .onion URLs.

What is the point of using tor in current year when the NSA control most nodes and can see what you are connecting to?

>>1032717

free DNS, crypto, hiding of your IP from 666 Gb/s upnp floods, and SEO pessimization.

>>1032762

and free CP

>>1032706

Me <-> node A <-> node B <-> node C <-> node Z <-> node Y <-> node X <-> hidden web server

I and the node C's communication is encrypted. And the hidden web server and the node Z's communication is encrypted. But isn't the node C and node Z's communication encrypted? Because Tor encrypts my packet three times by using node A, B, C's public keys and decrypts it when it arrives to each node. So when it arrives to the node C, it will be decrypted entirely by node C's private key. And the node C transfer my packet to the node Z without encryption, right?

>>1032717

Nice to see the blackpill shills back now that the government shutdown is over. How's the weather in the D.C. area today?

>>1032859

>hurr durr tor is for CP

>>>/reddit/

>>1033055 Between the node C and node Z, there might not be encryption.

>>1033055

You are either confusing the data encryption with the routing path encryption or making the mistake of applying the clearnet drawings to this case.

Point 0.2 in the spec https://gitweb.torproject.org/torspec.git/tree/rend-spec-v2.txt describes how the connections are made. When the connections are ready, the data is always encrypted end-to-end. The .onion address itself is derived from the server's public key.

When the traffic arrives to the node C, the only thing that will be decrypted entirely by node C's private key is encrypted by B and says: "Hey C, I have some <encrypted traffic> for you, sent it to Z please."

>>1033146

False!

Connection between 2 relays is always encrypted.

https://3g2upl4pq6kufc4m.onion/?q=ip&ia=answer

https://duckduckgo.com/?q=ip&ia=answer

>Your IP address is unavailable.

How did Tor achieve this?

>>1032599

It's the default Tor Browser search engine.

>>1033170

You can be your own certificate authority, set the OCSP url to another .onion domain...

Tor doesn't guarantee anything, the anonymity Tor provides is probabilistic. It is based on the amount of well behaving nodes and the number of Tor users.

>>1033209

>and the amount of tor users

Not even that as if everyone was a tor user then everyone's traffic would get decrypted at the third hop to be sent onward and in the hop from the third node of each side of the traffic the data could be copied. Tor just makes it harder to sort all the data as you get duplicates at multiple locations that have more encryption applied.

>>1033107

Are you recommending you should instead grab it from the clearweb?

>>1033151 So .onion address doesn't need TLS certificate (https). Because between you and the hidden server, the all traffic is encrypted.

>>1033171

that is 100% thot material and you are ruining this board with your beta retardation.

>>1032717

SHOW PROOF NEGRO. THEN TALK. MOTHERFUCK.

>>1033651 I also wanna rape my mom!

>>1032642

congrats, you just got owned

>>1033392

Maybe >>1033171 is of the same race as her.

Instead just tell him to kill himself next time.

>>1032642

Certs have a time frame in which they're valid.

Are you sure it's not just your PC clock that's wrongly configured, retard?

The traffic between a hidden service and a client is end to end encrypted. Client validates the encryption handshake by hidden service's .onion address, which is a hashed and then shortened form of hidden service's private key.

Version 3 hidden services are more private and secure than v2 ones as a result of upgraded encryption algorithms and changing how they announce themselves to hidden directory servers (HSDirs). Some websites may mix clearnet and .onion connections (8chan for example) therefore nullifying any privacy and security advantage its hidden service might offer.

For comparison, here are cock.li's hidden service addresses:

version 2: http://cockmailwwfvrtqj.onion/

version 3: http://xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion/

>>1033688

There's no need to insult and my system's clock is fine.

Firefox complains that the cert does not apply to the archive.fo domain (SSL_ERROR_BAD_CERT_DOMAIN), only for specific unrelated domains (ssl503537.cloudflaressl.com, *.digitalocean.com, digitalocean.com).

The HTTP status code 403 is returned by the Cloudflare server used by archive.fo.

>>1033739 If you set your DNS as 1.1.1.1 (CloudFlare), you will meet any errors. 8.8.8.8. (Google) or anything is okay.

archive.is (archive.fo) has problem with 1.1.1.1 DNS.

>>1033691 Cock.li E-mail Hosting

https://cock.li/

http://cockmailwwfvrtqj.onion/

http://xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion/

>>1033744

So that site MUST move to CloudDNS, a cuckflare alternative.

>>1032594 (OP)

One possible argument unmentioned so far is defense in depth.

If Tor was compromised, at least there is one more layer of encryption between you and the server. One more layer of shit for an adversary recording all traffic for later decryption to deal with, one more thorn that might juts keep you out of trouble for longer.

Likewise, for TLS in HTTPS.

But significantly more useful for browsing clearnet through Tor than onion sites on Tor.

>>1033951

Similar to how virtual machines were supposed to protect us from exploits with a nation-state adversary origin? We all saw how that went. Putting yet another layer of abstraction on top protects no one. It won't matter how many proxies you are behind or how many TLS tunnels you wrap around your traffic when public key encryption algorithms that ensure the safe data transit between nodes gets compromised.

All we need is a new public key encryption algorithm that can withstand quantum cryptanalysis.

>>1032594 (OP)

From a security standpoint it doesn't give you better traffic encryption or anything but what it can do is help prove the the onion URL you are using is actually duckduckgo and not a rogue actor pretending to be duckduckgo.

For onion-only sites this isnt beneficial

>>1033979

you are a naive fool.

the more layers the better.

>>1033979

Good luck, I'm behind 7 proxies

>>1034001

But the certificate only proves that whoever requested it could provide valid data that says they own the domain. That alone does not tell you much about the legitimacy of the site.

DuckDuckGo, Facebook, etc. use an Extended Validation (EV) certificate instead of an Origin Validation (OV) or Domain Validation (DV) one, which are only good in theory: https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/

>>1034543

>Origin Validation

*Organization Validation

>>1034543 There is no anonymity if I, as a web master, use an EV certificate.

>>1032657

because when you leave the tor network you are on the clearnet. so at that point you can connect to HTTPS sites just like normal. You just can't connect to .onion sites via SSL because they don't work that way and because it's redundant anyway. it's already encrypted.

>>1034804

>You just can't connect to .onion sites via SSL

Yes you can.

>it's redundant anyway

Correct. It only adds security against people bruteforcing a whole entire onion address which is invesable. The more likely case of your site getting hijacked is them stealing your private ey for the hidden service. If they are able to do that, they are also able to steal the private key for your certificate.

>>1034708

Every new certificate today is public due to CT.

>>1032594 (OP)

>TLS

did you mean ssl op?

>>1032686

>>1032705

can someone explain how a hidden service works? all i know is the standard 5-step flow.

OpenSSL can come with vulnerabilities but so can Tor so you gotta decide for yourself.

Old tor encryption was pretty weak, I think they fixed that with v3 protocol so imho now using SSL just increases traffic and attack surface for server and client.

I suppose it adds yet another layer of encryption.

Like, your message to an .onion service is already encrypted by itself, and even on the wire/loopback interface there will be only TLS traffic.

>>1032636

It should be noted that your message hits Tor network encrypted provided you use your Tor client on the localhost or trusted network. Tor client communicates with a first node via an encrypted channel.

It wasn't obvious from that post.

>is already encrypted by itself

or rather, BECOMES encrypted by itself with more TLS onto it

>>1046864

>or rather, BECOMES encrypted

no, as >>1046863 said, tor hidden services are end-to-end encrypted.

>>1046878

All communications within Tor are encrypted.

What I was saying was that you could theoretically have Tor client not on 127.0.0.1 (as it works like Socks proxy for programs) and communications to THAT would not be encrypted. With additional TLS layer though, it would become encrypted regardless. Not that you should rely on it if you don't trust the network you're going to use to reach the Tor client though. TLS1.2 leaks SNI and shiet.

>>1034543

>DuckDuckGo, Facebook, etc. use an Extended Validation (EV) certificate instead of an Origin Validation (OV) or Domain Validation (DV) one, which are only good in theory: https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/

No, they're not even good in theory.

>>1032657

The tor client encrypts the message 3 times with the private keys of the three nodes its going to rout through. The first node unwraps the first layer of encryption, so it knows who is sending the message but it can't read the message. The second node can only see the first node sending and doesn't know who is sending the message or what the message is. The last node peals off the last layer of encryption and prepares to send it to the clear net server. It can read the message but doesn't know who its from. Technically if all three of the nodes were monitored, or owned by the same entity the message could be correlated by size.

if you want to watch youtube with javascript disable, use invidio.us

also invidio has an onion link

http://kgg2m7yk5aybusll.onion/

YOUTUBE ON ONION BITCHES

>>1032594 (OP)

its good if you are really paranoid and think that the cianiggers have a way to see the traffic that goes to the service. tho you have to use self signed certs then not something thats signed by someone else

>>1051506

Wouldn't streaming load abuse the TOR network?

>>1046962

>if all three of the nodes were monitored, or owned by the same entity the message could be correlated by size.

It's not always three nodes and if all nodes are owned by the same entity then it can see the entire path and doesn't have to do any size-based guessing.

>>1046903

>>DuckDuckGo, Facebook, etc. use an Extended Validation (EV) certificate instead of an Origin Validation (OV) or Domain Validation (DV) one, which are only good in theory: https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/

>No, they're not even good in theory.

What are you guys talking about?

Your shitty cloudflare encumbered website says:

>The EV certificate on yell.com was displaying the name of the company that owned them for a long time which is Hibu (UK) Ltd. and not something like Yell (UK) Ltd. as you might expect.

LOL. You're retarded.

Also there are browser extensions that show a warning when a website's certificate changed so that can help detect MITM attacks or hijacked v2 onion addresses even with selfsigned ssl certs. Including on Tor.

>>1051508

its 720p 60fps i doubt its much, like 400 kbit

>>1051508

30 fps*

its in webm format

>>1051515

>>1051516

Reminder that if you intend to watch the entire episode it's usually better to youtube-dl it.

Supports tor too and if you download into a tmpfs it doesn't wear down your hard drive.

And if it contains some rare shit that you want to save from censorship you won't have to redownload the data, putting unnecessary strain on tor.

Video streaming creates a shitton of traffic.

#!/bin/sh
youtube-dl --proxy socks5://127.0.0.1:9050/ --hls-prefer-native $*

>>1051530

s/episode/video/

>>1032673

ANYONE can produce a valid cert

>>1051533

valid = accepted by browsers

>>1051539

having those annoying warnings for self signed certs is just another jewish trick. its not like any normie ever checks if the cert is really right and theres rarely any way to do that because no one tells the information thats needed for it

>>1032636

It pisses me off to no end when idiots like you pretend to know what they're talking about in 8chan. If you don't know, it's fine, but don't go pretending you do and spread false information, just shut the fuck up.

OP was talking about hidden services (hence ".onion URLs"), what you described was merely using Tor as a proxy to the clearnet, hidden services do not work like that.