Silk Road forums
Support => Feature requests => Topic started by: randomattack on July 13, 2011, 11:56 am
-
Any possibility we could have SSL secured Silk Road?
Would remove the possibility of Law Enforcment having TOR nodes and sniffing data
-
With hidden services there is no (unencrypted) exit traffic to sniff because there is no exit relay. All traffic remains within the Tor network (and encrypted) until final decryption is done on the hidden service host itself. Ultimately it's up to SR if he/she wants to add SSL/TLS, of course.
-
unnecessary overhead.
-
From what I understand enabling HTTPS would be a very good idea. Anyone running a tor relay can log the unencrypted traffic, including passwords. If I'm wrong, could someone please explain why? Isn't this the whole reason the tor project highly recommends using https whenever possible and includes HTTPS Everywhere plugin with the tor browser bundle?? If I am correct then this is a serious issue and its not like enabling HTTPS is hard to do.
-
Considering my (albeit limited) knowledge of how http and https work I would think that SSL would be a great addition!
I've been hoping for implementation for months!
-
From what I understand enabling HTTPS would be a very good idea. Anyone running a tor relay can log the unencrypted traffic, including passwords. If I'm wrong, could someone please explain why? Isn't this the whole reason the tor project highly recommends using https whenever possible and includes HTTPS Everywhere plugin with the tor browser bundle?? If I am correct then this is a serious issue and its not like enabling HTTPS is hard to do.
That applies only to traffic that must exit Tor to get to its destinations. This is not the case with hidden services, for which HTTPS would be completely redundant and pointless. Ask the people at Tor who recommend HTTPS for non-hidden service traffic and they will tell you the same.
-
AH, I hadn't considered that the entire data transmission stays within the bounds of the TOR network.
That makes me feel a lot more secure.
Thanks for the information!
-
Even so, an extra layer of encryption wouldn't be a bad thing. And its still very easy to enable, its not like it will require some kind of major overhaul or take a long time to do. I have seen other hidden services that use SSL, its not a bad idea, especially considering the type of site SR is. I really don't see why it shouldn't be enabled, any additional protection is a positive thing for all of us here.
-
Even so, an extra layer of encryption wouldn't be a bad thing.
Yeah, the extra overhead wouldn't matter at all... seeing as the site is already blazingly fast.
And its still very easy to enable...
Yeah, all SR has to do is head on over to Verisign and request a certificate for silkroadvb5piz3r.onion and type in a credit card number. Easy! Seriously, where do you expect that SR could get a certificate signed by a CA that will be trusted by users' browsers?
-
Guys, once and for all:
SilkRoad is a Tor Hidden Service. This means, you already have an end-to-end encryption from your computer so the SilkRoad server. No one can see your unencrypted traffic, only you and the SilkRoad server.
-
Yeah, all SR has to do is head on over to Verisign and request a certificate for silkroadvb5piz3r.onion and type in a credit card number. Easy! Seriously, where do you expect that SR could get a certificate signed by a CA that will be trusted by users' browsers?
Just self-sign it!
-
Just self-sign it!
The problem with that, aside from HTTPS providing no benefit for Tor hidden services, is that everyone's browsers will freak out, which will probably scare away a lot of users who don't understand self-signed certificates.
-
Just self-sign it!
The problem with that, aside from HTTPS providing no benefit for Tor hidden services, is that everyone's browsers will freak out, which will probably scare away a lot of users who don't understand self-signed certificates.
I'm certainly not in favor of adding SSL with the site being as flaky as it has been of late, but it would (for argument's sake) be possible to run the site with both http and https working and if users wanted to use https they could and they could add an exception for the self-signed cert.
-
Even so, an extra layer of encryption wouldn't be a bad thing. And its still very easy to enable, its not like it will require some kind of major overhaul or take a long time to do. I have seen other hidden services that use SSL, its not a bad idea, especially considering the type of site SR is. I really don't see why it shouldn't be enabled, any additional protection is a positive thing for all of us here.
..there is some loss in performance....a big conglomerate like google have all the processing in the world..
-
It would (for argument's sake) be possible to run the site with both http and https working.
No it wouldn't. SR already explained in the thread about the new URI that the code that runs the site is programmed to generate absolute URIs all over the place. As currently written, it cannot handle being accessed on multiple different URIs.
-
Just self-sign it!
The problem with that, aside from HTTPS providing no benefit for Tor hidden services, is that everyone's browsers will freak out, which will probably scare away a lot of users who don't understand self-signed certificates.
Agreed. And of those who don't get scared away, they will start thinking that it's perfectly normal to have to click "ignore" when confronted with scary-sounding security errors. There are already enough idiots who fall for phishing scams, we don't need to be teaching even more people to be idiots.
-
...I don't think it matters as much ...security and correct setup comes first in my book....
-
From what I understand enabling HTTPS would be a very good idea. Anyone running a tor relay can log the unencrypted traffic, including passwords. If I'm wrong, could someone please explain why? Isn't this the whole reason the tor project highly recommends using https whenever possible and includes HTTPS Everywhere plugin with the tor browser bundle?? If I am correct then this is a serious issue and its not like enabling HTTPS is hard to do.
some quick answers and thoughts i'll have to look into the rest of this technology since i never designed he Tor network ;-
- i was under the impression Tor traffic is encrypted everywhere, you don't have to just be on the Tor network to SEE the network traffic in plain text -this is logical.,
- just like any office network you would need to be on the same network segment as one of the nodes in the 1-1 communication traffic, traffic / data isn't simultaneously
"broadcast" for anyone and everyone to read no matter where you are..
- https or SSL can also be hacked, again requires access from a specific point between the 2 nodes.
- yes the more encyption you use the more obstacles and difficulty it becomes in tracing / logging what you're doing.
- as per chronipain's comment above it is an overhead, there is a real noticeable difference in performance between a regular http versus https / SSL connection.
- there is the added complication of certificates, 3x parts to this:
- the extra browser popups would irritate the reg user especially newbies who have enough tech issues to getting into SR etc
- every bit of webserver config including urls, webserver naming, dns names, certificate authority,NTP time of servers..........in order for this to work properly.
- who / which tech companies would SR trust to implement this, probably need to be yet another Tor CA service and who is going to manage all of this..
- I'm not sure what has been tested to work under a Tor encrypted network where identities, ip addresses (?) are changing all the time.
otherwise yes a good idea....that needs to be implemented at some point.
-
Expert talking:
Adding SSL to SR would DECREASE its security.
Tor already does what SSL does for exits - it ensures a cryptographically sound link between client and site.
However, SSL on a Tor hidden service is BAD because it can cause deanonymization of what particular hidden node you're coming from, due to how the SSL protocol works.
Don't do it.
-
...perhaps not then...SSL hopes to prove that the server you are comm with is who is says it is by means of a Certificate Authority & certificates preventing bogus sites posing as the web service...ok...perhaps the mention of SSL is applicable to services outside of the Tor network....ok
moving on..