Contents | Zoom in | Zoom out For navigation instructions please click here Search Issue | Next Page

Policing Privacy ■ Dynamic Cloud Certifi cation ■ Security for High-Risk Users

IEEE Symposium on Security and Privacy

March/April 2016 Vol. 14, No. 2

Contents | Zoom in | Zoom out For navigation instructions please click here Search Issue | Next Page IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND®

IEEE SYMPOSIUM ON SECURITY AND PRIVACY

Bake in .onion for Tear-Free and Stronger Website Authentication

Paul Syverson | US Naval Research Laboratory Grif n Boyce | Berkman Center for Internet & Society at Harvard University

Although their inherent authentication properties are generally overlooked in the shadow of the network-address hiding they provide, ’s .onion services might just deliver stronger website authentication than existing alternatives.

or is a widely popular infrastructure for anony- create website authentication, integrity, and other guar- Tmous communication (www.torproject.org). antees more simply, easily, fully, and inexpensively than Millions of people use Tor’s thousands of relays for by currently available means. unfet ered, traf c-secure Internet access. Approximately 95 percent of Tor bandwidth traf c is on circuits con- Tor and Onion Services: necting Tor clients to servers that are otherwise acces- A Brief Background sible on the Internet.1 Tor also provides protocols for In this article, we sketch the basics of Tor onion ser- connecting to services on its reserved top-level domain vices. For more details, we refer readers to Roger Din- .onion, which are only accessible via Tor. gledine and his colleagues’ Tor design paper,2 the Tor Tor’s .onion design continues the original onion- Project’s high-level graphical description of onion ser- routing idea of protecting not only clients’ but also serv- vices (www.torproject.org/docs/hidden-services.html ers’ network location information.2,3 Research to date .en),__ and related documentation on the Tor homepage has been so focused on the location-hiding aspects of (www.torproject.org). T e “Tor Rendezvous Speci- onionsites and services that it simply calls them “hidden f cation” also provides a more up-to-date and much servers.” T e popular press sometimes uses “Dark Web” more technical description of onion service protocols to refer to onionsites, but more of en than not, usage (https://gitweb.torproject.org/torspec.git/tree of that term is misleading or incoherent. Because spies /rend-spec.txt).______and criminals at ack users from hiding spots through- Tor clients randomly select three of the roughly out the infrastructure on today’s Internet, rather than 7,400 Tor relays to create a cryptographic circuit to con- being dark, Tor’s authenticated routing overlay typi- nect to Internet services (h______t ps://metrics.torproject.org cally provides users the only visibility of or control over /networksize.html).______Because only the f rst relay in the where their traf c goes. T us, we challenge the common circuit sees the client’s IP address and only the last (exit) narrow view of onionsites. In this article, we explore relay sees the destination’s IP address, identif cation is how individuals might use Tor’s .onion infrastructure to separated from routing. To of er an onion service, a Web

1540-7993/16/$33.00 © 2016 IEEE Copublished by the IEEE Computer and Reliability Societies March/April 2016 15

IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND® IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND®

IEEE SYMPOSIUM ON SECURITY AND PRIVACY

(or other) server creates Tor circuits to multiple intro- be returned by some other, possibly malicious, server. duction points that await clients’ connection atempts. In addition to the integrity guarantee, users rely on Clients wanting to connect to a particular onion service authentication so that their queries are revealed only use the onion address to look up its introduction points to DuckDuckGo. Te onion address alone doesn’t in a directory. In a successful interaction, clients and ofer this. Using the traditional Web trust infrastruc- onionsites both create Tor circuits to a client-selected ture, Facebook ofers a DigiCert certifcate for its onion rendezvous point. Te rendezvous point mates their cir- addresses to ensure that users aren’t misled by onion- cuits, which then interact over the rendezvous circuit sites purporting to be ofcial. like ordinary Web clients and servers. Although cryptographic binding is essential to Because a properly confgured onionsite commu- the technical mechanisms of trust, users also rely nicates only over the Tor circuits it creates, this proto- on human-readable familiarity, for example, that the col hides its network location"thus the name “hidden browser indicates graphically that they’ve made a service.” But the .onion system has other important fea- certifed encrypted connection as a result of typing tures, including self-authentication. Te onion address “facebook.com” into the browser. To some extent, it’s is actually a hash of the onionsite’s public key. For possible to make use of this familiarity in onionspace. example, if users want to connect to the DuckDuckGo By generating many keys whose hash had “facebook” (htps://duckduckgo.com) search engine’s onion ser- as the initial string and then searching the full hashes vice, they use the address 3g2upl4pq6kufc4m.onion. for an adequately felicitous result, Facebook obtained Te Tor client, recognizing this as an onion address, the facebookcorewwwi.onion address. However, this knows to use the above protocol rather than pass the method won’t work widely, because it’s difcult to gen- address through a Tor circuit for DNS resolution at the erate custom addresses in this way. exit. Avoiding a DNS resolution outside the Tor net- Te Onion Name System is an atempt at a system work protects against leakage of client interests by pre- for globally unique but still human-meaningful onion- venting observation of DNS lookups as well as against site names.4 Tis has the advantage of not depend- any of the well-known DNS hijinks, such as redirec- ing on existing naming schemes, such as the domain tion by ISPs or rogue DNS servers and cache poison- registration system. Nevertheless, we can leverage the ing. Te public key corresponds to the key that signs efective usage and infrastructure that existing nam- the directory system’s list of introduction points and ing approaches have evolved through experience and other service descriptor information. In this way, onion design. We focus herein on approaches that link onion addresses are self-authenticating. addresses to already meaningful ways of referring to For services such as DuckDuckGo, the onion ser- sites. In particular, we focus on a case in which an indi- vice’s value lies not in its location hiding but in the Tor vidual controls a registered domain name, although it’s connection’s additional authentication and assurance also possible to bind to other meaningful Web locations of improved route security. Because the Tor circuits such as a Facebook page or WordPress blog. necessary to reach introduction and rendezvous points If you have a registered domain name, why not just are there to protect the confdentiality of server net- obtain certifcates from traditional authorities, as Face- work location, their complexity, latency, and network book has done? For many server operators, geting even overhead aren’t needed to provide improved authen- a basic server certifcate is just too much of a hassle. tication or route security. Nonetheless, there are per- Te application process can be confusing. It usually formance advantages to providing an onion service to costs money. It’s tricky to install correctly. It’s a pain to users wanting to connect to a site via Tor (for example, update.5 Tese are not original observations. Indeed, skirting the efects of exit relay bandwidth scarcity). that description is actually a quote from Josh Aas’s frst And Tor proposals (the Tor equivalent of the Internet blog entry for Let’s Encrypt, a new certifcate authority Engineering Task Force’s [IETF’s] RFCs) to standard- dedicated, among other things, to making TLS certifca- ize simplifed onion services without location hiding tion free and automatic for most websites. are underway. Facebook’s onion service already uses Seting up a certifcate using the existing X.509 such simplifcations. public-key infrastructure system can take hours or even days. When a collective or organization operates Knowing to Which Self to Be True the website, SSL/TLS certifcates have been known to DuckDuckGo’s onion address is self-authenticating take months because of ownership and authorization in that it binds the service descriptor information to questions. Tis time cost is in addition to the certif- 3g2upl4pq6kufc4m.onion. Presumably, users want cate’s monetary cost, if any. In contrast, seting up an assurance that they’re reaching DuckDuckGo and onionsite takes a few minutes and costs nothing. Once receiving DuckDuckGo search results, not what might Tor is installed, you simply add two lines to your torrc

16 IEEE Security & Privacy March/April 2016

IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND® IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND®

f le to def ne where Tor will store the onion service’s validation (DV) certif cates, which typically require a key information and port, if necessary. T en, simply simple email conf rmation based on information in the start Tor for the key and address to be generated. To WHOIS database. migrate the service elsewhere, add these f les to the new Furthermore, the .onion top-level domain itself machine, then conf gure and start Tor as before. T e Tor was unof cial until recently. However, an IETF RFC Project provides additional tips and advanced options reserving .onion as one of the handful of special-use (www.torproject.org/docs/tor-hidden-service.html domain names was approved as a proposed standard 7 .en).__ Even if Pret y Good Privacy (PGP) encryption in October 2015. With this RFC’s of cial release, the is used for the binding (as we describe later) and the approval of certif cates for .onion addresses is now on process of learning to create a PGP key and signature f rmer footing. 8 is considered, the time investment is dramatically less than with X.509. Our Onions Ourselves As of this writing, Let’s Encrypt services are available As noted, onionsites already provide self-authenticated only in beta release. None- binding of public keys to theless, it’s already onion addresses" quite popular and suc- We explore how individuals might use but not to something cessful. Should it be Tor’s .onion infrastructure to create recognizably associ- willing to of er onion website authentication more simply, ated with that site. domain certif cates, We seek an authenti- Let’s Encrypt could easily, fully, and inexpensively. cation solution for all be an easy way for websites, especially onionsite operators to moderately popular take advantage of the tradi- or short-lived ones such tional certif cation infrastructure. T is is already a focus as webpages for individuals, hometown sports teams, of Let’s Encrypt discussions, both internally and with one-time local events, small businesses, and municipal its community (h______t ps://community.letsencrypt.org/t election campaigns. Although these are smaller targets ______/if-when-will-le-support-onion-addresses/341/10). than the more popular, long-lived sites, they’re subject Traditional SSL certif cate problems go beyond to similar controversies and at acks. Even if they aren’t questions of cost and convenience. T e trust hierar- the targets of at acks, they might be collateral victims. chy is opaque to direct usage, and the sheer number Sometimes, users of these less popular or temporary of trusted authorities is large enough to be of concern. sites don’t have Internet accounts that permit set ing up In particular, there have been numerous man-in-the- servers. Onionsites can generally work with this limita- middle (MITM) at acks through certif cate manipula- tion because they make only outbound client connec- tion as well as hacking of certif cate authorities or cer- tions. Similarly, onionsites can be used to administer tif cate validation sof ware leading to use of fraudulent systems behind restrictive f rewalls that permit only certif cates for several popular websites.6 outbound connections. Even if users do have Internet T e Electronic Frontier Foundation’s SSL Obser- accounts that permit them to provide Web services, vatory (www.ef .org/observatory) monitors and doc- their providers might not of er HT PS, or of er it only uments the occurrence of such problems. Google’s at an additional fee. Certif cate Transparency (www.certi______f cate-transparency With Tor’s user base in the millions and growing, .org) ef ort is similar but broader, adding, among other website owners might also want to ensure that their sites things, append-only signed public logs that make unde- are accessible to Tor users. Sites such as Facebook use tectable certif cate shenanigans harder to achieve. onion services to give Tor users bet er performance, T e problems with certif cates, though real, are security, and user experiences than what they receive largely moot for those wanting to create onion ser- when connected over a simple Tor circuit to facebook.______vices. As of this writing, the Certif cation Author- com.___8 On the other hand, those with small personal sites ity (CA)/Browser Forum (h______t ps://cabforum.org) might discover that their hosting provider blocks access has approved only extended validation (EV) cer- from Tor exits. When product designer Glenn Sorren- tif cates for .onion addresses. T is limits the certif - tino realized that this was true of his site, glennsorrentino. cates’ use to those with the signif cant time, money, com, he set up a version on a small personal system at and desire required to complete the extensive iden- at3o24mj2rfabkca.onion. Doing so of ered other ben- tity validation process. EV certif cates are primarily ef ts as well, but his motivation was reachability for Tor used by large businesses; individuals, organizations, users. Note that because the Tor network is designed and small businesses more commonly obtain domain to be reached even by users experiencing censorship,

www.computer.org/security 17

IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND® IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND®

IEEE SYMPOSIUM ON SECURITY AND PRIVACY

another way to solve this problem could be to run the Another potential place to post the association is site as an onion service from the same Web server but Keybase (h______tps://keybase.io), a “people directory” connecting to Tor via bridges and obfuscating pluggable in beta release. Keybase lets you look up by username transports (www.torproject.org/docs/bridges). GitHub, , Twiter, and identifers signed We focus primarily on using onionsites to improve with the same PGP key. Incidentally, Keybase has an authentication, seting properties of network location onion address (htp://fncuwbiisyh6ak3i.onion) for its hiding aside as orthogonal to our goals. However, these registered domain address. properties can be complementary for some use cases. Given onionsites’ authentication benefts, why Authenticated hidden services are an appealing option bother with a non–onionsite version? Providing a site for those who’d like to secure their onionsites for per- at the registered domain makes it available to users not sonal use. Unlike with traditional websites, which are coming over Tor. Typically, an onionsite can still be discoverable online before authentication, users lacking accessed via Tor2web (h______tps://tor2web.org), a web- authentication information for private onionsites won’t site that proxies connections from non–Tor clients be able to determine easily whether they exist, nor will to onionsites. Such proxying services might provide they be able to probe them for vulnerabilities. Confg- broader availability; however, at best, they ofer overtly uring onionsites for obfuscation of site existence, and acknowledged MITM onionsite connections. Because thus site vulnerability, is ideal for operating a personal we’re focused on not merely maintaining but improv- cloud service. With privacy and cost in mind, many peo- ing authentication, we’ll say no more about such proxies ple operate their own cloud infrastructures to store fles and limit our discussion to secure onionsite access for and calendar entries by using open source systems such current and future Tor users. Site operators wanting to as Cozy (h______tps://cozy.io) and OwnCloud (h_____tps:// provide wider, if less secure, access should do so by con- owncloud.org).______Authenticated hidden services are also necting to the registered domain name, which is hope- ofen used as personal RSS readers, because onionsites fully at least protected by HTPS. ensure some level of feed integrity"particularly impor- Finally, Google and other traditional search and tant when fetching news feeds that don’t utilize TLS. indexing engines don’t generally refect links to onion- Users can, and ofen do, create Facebook or similar sites, unless onionsites associated with registered pages that are protected by HTPS and TLS certifcates. domains are included in the sites’ metadata, as in our But then the service must depend on the host’s reputa- glennsorrentino.com example. Te Ahmia search tion, trust, policies, and protections"not to mention engine (h______tps://ahmia.f) is limited to onionsites and dynamics"rather than let users understand and con- thus likely to be known only to those already familiar trol these aspects of their own services. with them. However, its creator, Juha Nurmi, has agreed A simple way to bind the onionsite public key to a to link onion and registered domain addresses in Ahmia, known entity that uses widely available mechanisms together with the GPG signatures that bind the linking. is to provide a signature on the onion address, such He’s also suggested to us that Ahmia could automatically as a PGP/GNU Privacy Guard (GPG) signature. Te test the signatures and check the registered-domain and signed text can be included on the onionsite, making it onion sites. Tus, even if they aren’t comfortable per- self-authenticating in this sense as well. Te trust level forming PGP verifcation, users who trust Ahmia (and in the authentication is then equivalent to the trust in their connection to Ahmia) can verify that the same the public key doing the signing. Such techniques are party operates a pair of websites. Onionsite crawling already used for signing code. For example, the Tor and indexing are in their infancy and thus aren’t as rep- Project ofers signatures on all sources and binaries it resentative of their target space as Google’s and similar makes available for download. sites’ much more mature indexing of the surface Web. Signers can also post the signed onion address to a public site, such as their Facebook page. Indeed, a useful Usability, Convenience, and Security public site for doing this would be an unauthenticated Because most onionsite visitors use Tor Browser, version of the same service as the one the onionsite deployment and debugging of onion services are faster ofers. Te unauthenticated version and the onion- than for their registered domain counterparts"there’s site version should contain signed pointers to each only one browser to test, with only minor user varia- other so that anyone can check their association. For tion. Website operators can assume that users don’t example, by posting his PGP signature at both h____tp:// have AdBlock or other browser extensions that afect glennsorrentino.com/onion-binding.php and ____ htp:// how content is displayed. Plug-ins such as Java and ______at3o24mj2rfabkca.onion/onion-binding.php, Sorren- Flash that might mitigate Tor Browser’s privacy protec- tino binds the addresses of his site’s unauthenticated tions are disabled by default. Many privacy-conscious and authenticated versions. users enable the NoScript extension to block JavaScript

18 IEEE Security & Privacy March/April 2016

IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND® IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND®

as well. Despite this, rich content such as video, audio, TLS certif cates will likely remain the primary ground and interactive storytelling are still available for design- for linking public, human-readable domain names to ers willing to use HTML5 and CSS3. And because signatures that authenticate websites. Tor Browser generally restricts what it will process more than other browsers do, operators wanting to of er Let’s Authenticate access to their Tor Browser–tested site at a registered Again, unlike conventional Web URLs, onion addresses domain shouldn’t have to make any changes. are connected inextricably to the site authentication What we’ve described so far implies relatively man- key. T us, if you’ve publicized the onion address on, ual PGP/GPG signature authentication. It would be for example, blogs, Twit er, or Facebook, people fol- straightforward to create a lowing those address links plug-in that verif es won’t be vulnerable the signature and the to hijacks or MITM trust in it, then gives With Tor’s user base in the millions at acks by a subverted users dif erent indica- and growing, website owners might CA. T is signif cantly tions depending on also want to ensure that their sites raises the bar on the the results. Related are accessible to Tor users. hijacker. Further- tools have already more, non-CA-based been developed; for MITM techniques, example, Monkey- such as forcing the sphere (h______t p://web.monkeysphere.info) is a Firefox site to fall back to a non-SSL version (for example, by plug-in that uses the PGP trust infrastructure for vali- using SSLStrip) or to use a weaker cipher to communi- dation only when the browser doesn’t accept the TLS cate (for example, via BEAST or FREAK), won’t be pos- certif cate validation by default. A simpler plug-in could sible because, unlike for conventional Web addresses, also check the Ahmia validation suggested earlier. the onion address and key are linked inextricably and Website operators can now use our PGP approach generated cryptographically. (at least manually). Although our approach could ben- Given the success of Let’s Encrypt, we envision ef t from usability developments and simplif cation, eventual incorporation of TLS with onionsites for the it can complement other approaches, as it doesn’t rely “everyman” users we described. Whereas certif cate fundamentally on the deployment and continued com- transparency and the like will help increase trust in mitment to new infrastructure. Instead, it can rely on authenticating such sites via their certif cates, onion whatever authentication infrastructure is popular and addresses’ self-authentication adds to this trust in two likely to be maintained for independent reasons. ways. T ey strengthen the certif cate-based authentica- T e PGP web of trust builds up signature authority tion that certif cate transparency addresses, and the use in a decentralized manner from direct personal connec- of onion routing implies authentication of the route, tions and introductions. T is f ts more naturally with, for not just the destination. And both of these are under example, community, local business, personal, and col- more direct owner control. But, it’s not just for the lit le laborative work sites, for which local or personal trust guys. T e US General Services Administration"which relationships are important.9 By contrast, the X.509 trust negotiates federal-friendly terms of service (ToS) for model is a hierarchical centralized trust chain delegated the US government10"has negotiated an amend- down from a national or global corporate trust anchor. ment to the Let’s Encrypt Subscriber Agreement for PGP remains much less familiar than TLS. Popular US government users. And Let’s Encrypt already has familiarity is, however, not so much with TLS as with signif cant US government adoption (h______t ps://crt interfaces such as the lock icon in the browser search ______.sh/?Identity=%25.gov&iCAID=7395). bar. T is indicates lit le more than whether TLS and certif cates from default-accepted authorities are in Creating the Domain Validation Certifi cate operation. However, most users lack even this basic We assume that the certif cate to be obtained will understanding: to them it means “secure.” It’s up to us to have the onion address listed as a SAN (subjectAlt- design systems so that such simple judgments are cor- Name) in the certif cate issued for the registered rect and users will naturally do the right thing. As noted, domain name. Currently, CA/Browser Forum policy similar PGP interfaces have been designed but haven’t allows only registered domain names and wildcards been developed extensively the way TLS interfaces thereof, such as *.duckduckgo.com. T e only excep- have"unsurprising given TLS’s fundamental role in tion is for EV certif cates, which are prohibitive for global e-commerce. For those who don’t otherwise rely many site owners and, hence, problematic. None- on the PGP web of trust’s social or local protections, theless, in response to numerous requests, DigiCert

www.computer.org/security 19

IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND® IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND®

IEEE SYMPOSIUM ON SECURITY AND PRIVACY

now provides instructions for ordering .onion certif- Connecting to Onionsites cates.11 We’ll explore some concerns and reasons why Assuming an onionsite has been confgured and certi- the approach set out in this section supports changing fed, how should users connect to it? If users request a current restrictions. But, frst, we describe how this connection to the onion address by, for example, click- approach would work if onion addresses were allowed ing a link, then the connection should proceed as nor- as names in DV certifcates. mal. But if users request a connection to the associated You could simply create a self-signed certifcate bind- registered domain address, they could be redirected ing the onion and registered-domain names. But then a automatically to the onionsite as a security enhance- popup would warn users because the browser won’t trust ment. Additions to the HTPS Everywhere (www.ef you to be a signing authority. Such warnings are impor- .org/htps-everywhere) ruleset could accomplish this. tant because most people use Tor precisely for safer con- HTPS Everywhere"a browser extension incor- nections to registered domain addresses. We’re pursuing porated by default in Tor Browser and available for a strengthening of"not an alternative to"the current Firefox, Chrome, and Opera"rewrites requests to con- authority-based Web authentication infrastructure, to nect to sites via unencrypted HTP to HTPS requests. which user experience is central. Tus, we want to avoid Tis does more than add an “S” to the request. Some- both accepting self-signed certifcates without warning times a site’s encrypted and unencrypted versions and adding to circumstances in which popup warnings are in diferent domain locations. Conversely, add- occur superfuously. ing an “S” to an HTP request might connect users to Onion addresses should receive at least the same a page that the domain owner intended for purposes DV level of checking as occurs now for registered other than a heightened-security version of the HTP domain names. Te latest ballot-approved CA/Browser site. Like HTP Strict Transport Security (HSTS), Forum’s baseline requirements list several ways to dem- HTPS Everywhere helps guard against SSLStrip and onstrate domain control.12 Te most familiar is prob- similar atacks. HTPS Everywhere also includes the ably responding to an email sent to administrator@ SSL Observatory. Note that the ruleset could also be [registered domain] or a similar address. Te baseline expanded to allow redirection to onionsites using the requirements also let certifcate applicants demonstrate GPG binding approach we described earlier. their ability to make requested changes, such as add- Another advantage of using HTPS Everywhere to ing a nonce to a page whose name terminates in the direct registered domain requests to onionsites is that requested domain name. So, a validation query proto- DNS lookup of an IP address won’t be associated with col can be used that freshly connects to the onionsite the domain name. Tis means that such connections and asks whether it’s acceptable to certify association won’t be afected by atacks on DNS resolution or by of the onionsite with the registered domain. Tis can observations of DNS lookups exiting the Tor network. also verify that the onionsite is confgured properly. Te CA should issue the certifcate only if all DV checks are An Onion by Any Other Name completed successfully. Would Cert as Sweet An email or other check of the registered domain So, why not just permit onion addresses to be used as must also include the onion name. If applicants could names in certifcates? CA/Browser Forum discussions obtain a certifcate for multiple registered domain have raised two broad classes of objections. names by showing control of only one, they could First, currently deployed onion addresses and proto- fraudulently authenticate other sites covered by the cols rely on SHA-1 and RSA-1024, both of which have certifcate. Onion addresses’ self-authentication lim- reached the end of their efective-security lifetimes. But its this risk. Tis check alone wouldn’t prevent people Tor client and relay sofware has transitioned in stable from obtaining certifcates for onion addresses not releases to SHA-256 and Ed25519, which are adequate under their control. But, because they wouldn’t pos- for the foreseeable future. And Tor is expected to tran- sess the onion address’s private key, people tricked sition onion services to these cryptographic primitives into going to that address simply wouldn’t connect within the year. Terefore, any valid objections based on successfully. Nonetheless, many subtle authentication this concern will be short-lived. More important, when atacks are possible when users are confused about combined, onion protections can only add to TLS and who they’re connecting to and in what role, espe- certifcate protections. Breaking the private RSA-1024 cially if authentication protocol runs are interleaved.13 key associated with an onion address that has an appro- Terefore, we recommend that the certifcate-issuing priately stronger TLS key and certifcate doesn’t, by protocol include a check that whoever controls the itself, allow an atacker to subvert a certifed TLS ses- onion address authorizes its binding to the registered sion with the onionsite. Conversely, MITM, cipher deg- domain name. radation, or other certifcate or TLS instance atacks

20 IEEE Security & Privacy March/April 2016

IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND® IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND®

aren’t possible with onion addresses unless the atacker 6. L.-S. Huang et al., “Analyzing Forged SSL Certifcates in also breaks the self-authentication. the Wild,” Proc. IEEE Symp. Security and Privacy (SP 14), Second, for various reasons, some individuals sup- May 2014, pp. 83–97. port a CA’s ability to link real-world identities to issued 7. J. Appelbaum and A. Mufet, “Te ‘.onion’ Special-Use certifcates, as occurs when validating registered domain Domain Name,” Internet Engineering Task Force, Oct. 2015; names. Tis is why only EV certifcates have been htps://tools.ietf.org/html/rfc7686. approved for onion addresses. But the described design 8. A. Mufet, “RFC 7686 and All Tat …,” Facebook, proposes that a DV certifcate for an onion address be 23 Oct. 2015; www.facebook.com/notes/alec-mufet issued only when it’s fully bound to a registered domain /rfc-7686-and-all-that/10153809113970962.______name and validated by the same process as for the reg- 9. P. Zimmerman, “Why OpenPGP’s PKI Is Beter than an istered domain name. Whatever benefts such linking X.509 PKI,” OpenPGP Alliance, 27 Feb. 2001; www.open provides is supported as strongly for the onion address pgp.org/technical/whybeter.shtml. as for the registered domain name alone. 10. “List of Negotiated Terms of Service Agreements,” US General Services Administration, 2015; www.digitalgov .gov/resources/negotiated-terms-of-service-agreements. decade ago, websites available via encrypted and 11. “Ordering a .Onion Certifcate from DigiCert,” Digi- A authenticated connections were relatively rare. Cert, 15 Dec. 2015; htps://blog.digicert.com/ordering Providing users with such options seemed the prov- -a-onion-certi______fcate-from-digicert. ince of the paranoid rather than standard good practice. 12. “CA/Browser Forum Baseline Requirements Certifcate Whether or not our specifc design recommendations Policy for the Issuance and Management of Publicly- are adopted, we hope that in our general approach, read- Trusted Certifcates, Version 1.3.0,” CA/Browser Forum, ers recognize prospective changes, which onionsites 16 Apr. 2015; htps://cabforum.org/wp-content/uploads facilitate, that are as important to the future of secure ______/CAB-Forum-BR-1.3.0.pdf. and robust access to and use of the Internet as certif- 13. P. Syverson and I. Cervesato, “Te Logic of Authentica- cates and TLS were at the turn of the century. We also tion Protocols,” Proc. Int’l School on Foundations of Security hope our expanded view of Tor’s onion services will Analysis and Design on Foundations of Security Analysis and encourage others to explore this fascinating system for Design (FOSAD 00), LNCS 2171, 2001, pp. 63–136. novel properties and applications. Paul Syverson is a mathematician at the US Naval Acknowledgments Research Laboratory, Center for High Assurance We thank the anonymous reviewers for their feedback and Computer Systems. His research interests include suggestions. We have also benefted from conversations with computer and communications security and pri- many people, including Richard Barnes, Roger Dingledine, vacy with an emphasis on theory, design, and analy- Peter Eckersley, Eric Mill, Alec Mufet, Mike Perry, Seth sis of trafc-secure systems, especially onion routing. Schoen, and Ryan Sleevi. Syverson received an MA and PhD in philosophy and an MA in mathematics from Indiana University. He’s References an Electronic Frontier Foundation Pioneer, Foreign 1. G. Kadianakis and K. Loesing, Extrapolating Network Policy Global Tinker, and ACM Fellow. Contact him Totals fom Hidden-Service Statistics, Tor tech. report at [email protected]. 2015-01-001, Tor Project, 31 Jan. 2015; ______htps://research .torproject.org/techreports/extrapolating-hidserv-stats Grifn Boyce is a fellow at the Berkman Center for Inter- -2015-01-31.pdf.______net & Society at Harvard University and a senior 2. R. Dingledine, N. Mathewson, and P. Syverson, “Tor: Te censorship researcher for the Open Internet Tools Second-Generation Onion Router,” Proc. 13th USENIX Project. He works on various anticensorship projects, Security Symp. (SSYM 04), Aug. 2004, p. 21. including Satori and Cupcake Bridge. Contact him at 3. D.M. Goldschlag, M.G. Reed, and P.F. Syverson, “Onion [email protected]. Routing for Anonymous and Private Internet Connec- tions,” Comm. ACM, vol. 42, no. 2, 1999, pp. 39–41. 4. J. Vickers, “OnioNS-server: Te Onion Name System" Networking Protocols,” GitHub, 28 Sept. 2015; h____tps:// .com/Jesse-V/OnioNS-server. 5. J. Aas, “Let’s Encrypt: Delivering SSL/TLS Every- where,” Let’s Encrypt, 18 Nov. 2014; ______htps://letsencrypt Selected CS articles and columns are also available for .org/2014/11/18/announcing-lets-encrypt.html. fee at htp://ComputingNow.computer.org.

www.computer.org/security 21

IEEE qM qMqM SECURITY&PRIVACY Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM THE WORLD’S NEWSSTAND®