[liberationtech] Deep Web Intellectual Property Due Diligence

Mon Nov 17 16:02:08 PST 2014

you may want to avoid using the "Deep Web" term.  It's not like it means
anything but conveys some sort of Deep Water Horizon feeling, or Nemo if
you're optimist.

> 
> What, specifically, are the security issues associated with Deep Web
> “vanity” addresses (e.g. https://facebookcorewwwi.onion/  - with or
> without SSL cert; http://silkroad6ownowfk.onion/welcomeetc.).
>  
*** I think vanity addresses for onion sites, being easier to remember,
can be harder to forge.  I bet you typed the facebook one from memory.
That's a very good point for them, because then facebookcarewwwi.onion
might not trick you, if someone has the sheer luck of finding a private
key for that one.  So that may come as a positive security point.

Nevertheless, silkroad* has had more variants, and less memorable than
the exceptional facebook one, so unless you're very careful about the
original address you've visited, you might be "phished" into visiting a
fake onion site.

TLS certificates should not be issued to non-DNS entities, such as onion
services, because the client may verify the validity of that certificate
by contacting one or more external URLs, especially URLs outside of the
onion space, and that may lead to a breach of privacy, also because
looking up the .onion in the DNS is not supposed to happen.

So self-signed certificates add a layer of encryption on top of Tor's,
but the recent official grant of a certificate to facebookcorewwwi.onion
is actually a mistake, as TLS certificates belong to DNS, while .onion
domains are not resolvable by DNS mechanisms.  This has been a concern
for a while, and some people are working on having this issue recognized
by IETF and sanctioned by IANA to instruct ICANN to reserve the .onion
pseudo-TLD out of the DNS TLDs. [0]

> What types of due diligence data can be found on the Deep Web (please
> provide specific .onion URLs) and what service do you use to access it
> (e.g. search engine, BrightPlanet, etc.) –> regarding:
>
*** I cannot answer that question.

==
hk

[0] I-D. "Special-Use Domain Names of Peer-to-Peer Systems", currently
expired, latest draft at
https://datatracker.ietf.org/doc/draft-grothoff-iesg-special-use-p2p-names/,
soon to be updated with new information relevant to the above-mentioned
case.