On Sun, Nov 9, 2014 at 3:30 PM, Fabio Pietrosanti - lists <li...@infosecurity.ch> wrote: > On 11/9/14 8:58 PM, Jacob Appelbaum wrote: >>> For example, it would be interesting if TBB would allow people to >>> input a password/pubkey upon visiting a protected HS. Protected HSes >>> can be recognized by looking at the "authentication-required" field of >>> the HS descriptor. Typing your password on the browser is much more >>> useable than editing a config file. >> That sounds interesting. > > Also i love this idea but i would suggest to preserve the copy&paste > self-authenticated URL property of TorHS, also in presence of authorization. > > It could be done with a parameter in the URL > http://blahblah.onion/?authTorHBauBauMeowMeow=PASSWORD > Or it could be done with a URL handler httpA://PASSWORD@blahblah.onion . > > That way it will be possible to use such authenticated TorHS by > bookmarking an URL in TBB or by copy/pasting it from a password manager.
This assumes you're using a Tor aware browser, or Tor is somehow protocol aware and MITM for all user protocols (such as TLS non-web) which is impossible. So this won't work. Any such descriptor authenticating would need done at the onion 'hostname' level since that's the only non-user-protocol area available. ie: authtoken.16char.onion. Or in torrc as is today. _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev