On 30 August 2017 at 19:18, Roger Dingledine <a...@mit.edu> wrote: > On Wed, Aug 30, 2017 at 03:07:37PM +0100, Ben Tasker wrote: >> So his suggestion is portrayed as not sacrificing much, but actually >> sacrifices quite a lot. > > This is a really important point. Thinking of onion space right now as > the sum total of all that it can be is cutting off all of the future > innovation.
That's a very good way of putting it. Thanks Roger. > I think finding ways to tie onion addresses to normal ("insecure web") > domains, when a service has both, is really important too. > I'd like to > live in a world where Let's Encrypt gives you an onion altname in your > https cert by default, and spins up a Tor client by default to let users > reach your webserver using whichever level of security they prefer. Doesn't that risk adding insecurity? If I trust a less secure channel to authenticate the hidden service, then impersonating the hidden service may become easier by providing a weaker point of attack, no? It's not like there's a shortage of demos of people getting LetsEncrypt (and other CA) certs they shouldn't. -J -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk