[messaging] Are vanity onion domains a good idea?

Mike Hearn mike at plan99.net
Tue Oct 27 05:45:47 PDT 2015


>
> The name tor.facebook.com is not self-authenticating, which is the
> main practically useful function of .onion names.
>

Well ... but this thread starts by observing that attackers are exploiting
the fact that Onion names are opaque random strings, meaning people do (at
best) prefix matches of a few characters.

So isn't the issue that Onion names are *not*, in practice, self
authenticating?

There are not thousands of CA's, even Firefox only trusts a hundred or so
in total and EV certs are issued by only about 25-30. And Google is forcing
them into certificate transaparency, so if someone did issue a bogus EV
cert under your name you'd be able to locate it immediately with something
as basic as a cron job.

Chrome already shows visually if a page is bookmarked or not (the star on
the right hand side). So there's nothing to do there.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20151027/d14d9474/attachment.html>


More information about the Messaging mailing list