On Wed, Aug 30, 2017 at 01:18:36PM -0400, Roger Dingledine wrote: > On Wed, Aug 30, 2017 at 03:07:37PM +0100, Ben Tasker wrote: > > So his suggestion is portrayed as not sacrificing much, but actually > > sacrifices quite a lot. > > This is a really important point. Thinking of onion space right now as > the sum total of all that it can be is cutting off all of the future > innovation.
+1 [snip] > > As Alec says, the list of "things that could benefit from having a safe > communication channel" is both enormous and open-ended. People like to > use phrases like "dark web" or "dark continent" to evoke mystery and > intrigue, but really, do you want to use the communications channel where > you know for sure that you're talking to the person you meant to talk > to, and you know that it's hard for somebody to eavesdrop on the content > or the metadata? Or do you want to use the communications channel where > you don't know who you're talking to, you don't know who is listening, > and you don't know whether somebody is modifying the traffic? > > Calling onion services the "secure web" and everything else the "insecure > web" isn't very catchy, so maybe we should settle on calling everything > else (the places where you don't know who you're talking to or who's > listening) "dark". :) > > For those following along who haven't watched our 32c3 onion services > talk, you might find it enlightening: > https://media.ccc.de/v/32c3-7322-tor_onion_services_more_useful_than_you_think > (The Defcon talk has a few more details about the next-generation onion > service design, but I'm told the video for it won't be up for another > couple of months.) In "The Once and Future Onion" I contrast onionspace with "the less-secure web" rather than the insecure web. I think it's a bit more accurate term: as one example, there is a difference between an HTTPS-protected (and HSTS enabled, etc.) site and a vanilla HTTP site. (I also note that going through Tor Browser in general provides the ordinary user with more route information than they otherwise have---indeed authenticated route information. And I underscore this with the phrase "the alliuminated web".) This article is for a keynote talk I'll be giving at ESORICS in a few weeks. The proceedings will be published by Springer and the talk hasn't been given yet, but you can get the paper right now from https://www.nrl.navy.mil/itd/chacs/syverson-once-and-future-onion > I think finding ways to tie onion addresses to normal ("insecure web") > domains, when a service has both, is really important too. I'd like to > live in a world where Let's Encrypt gives you an onion altname in your > https cert by default, and spins up a Tor client by default to let users > reach your webserver using whichever level of security they prefer. I also mention this point, as well as integration with HTTPS Everywhere in "The Once and Future Onion". [snip] aloha, Paul -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk