[cabfpub] Ballot 144 -.onion domains

Gervase Markham gerv at mozilla.org
Fri Feb 13 09:53:18 UTC 2015

Hi Kirk,

On 13/02/15 02:33, kirk_hall at trendmicro.com wrote:
> Fair enough.  But if Facebook can engineer **multiple** public keys that
> hash so the first 8 characters of ALL of them are “facebook”, I’m
> guessing its not that hard and a hacker could do the same thing (or get
> the first 5 as yahoo, the first 6 as google, or the first 8 as
> microsoft).  After that, the rest of the characters could be random or
> meaningful, but the potential harm (trickery in the domain name) is
> already done.

.onion names represent 80 bits of data (half of the 160 bits of a SHA-1
hash) and are 16 characters, so each character represents 5 bits. This
means that to fix the first character would require generating about 32
(2 ^ 5) keys. Not many. But to fix the first two characters would
require 32 ^ 2 = 1024 keys. Each additional character you want to fix
makes the job 32 times harder.

Therefore, getting even one key where the first 8 hash characters are
"facebook" requires approx. 1 x 10^12 keys to be generated (that's
100,000,000,000). Facebook has a lot of computing power, so they could
do this. This is not out of the reach of others, but would be expensive.
I'm not sure a phisher would consider this the most cost-effective
method of phishing.

> Under the ballot, CAs have no obligation to scan or verify a
> **meaningful** .onion domain and look for phishing or fraud attempts. 

Do they have such an obligation for normal domain names?

If so, why does that obligation not extend to .onion names?

> I
> was under the impression that .onion domain names were ALWAYS 12 random
> characters (which avoids fraud); now I see that people who want a
> specific .onion name can arguably game the system to get a meaningful
> name that they want (and it might not even be their own name –
> gervmarkham1 for example).

The longer the required "meaningful" portion is, the harder it is to
find a name beginning with it. As I said, each extra character you want
makes it 32 times harder.

So getting an 8-character prefix ("facebook") requires approx. 1 x 10^12
keys to be generated. Getting an 11 character prefix ("gervmarkham")
requires 3.6 x 10^16 - i.e. it's 32,678 times harder. 11 characters
would have been out of the reach of even Facebook.

> In contrast, a .onion domain name will be displayed to Tor users, and
> could cause confusion.  Should we require CAs to follow the rules of BR
> 9.2.4g so that .onion domains that include meaningful names are
> verified?  Or better yet, not allow .onion domains to be meaningful
> (require them to be random only)?

I think the idea of requiring "randomness" would not be any better.
Let's say we required Facebook to be:


It would be equally as easy for someone to generate a key matching the
first 8 letters of this as it is for someone to generate one matching
the word "facebook". So for the same effort as above, I could generate:


I'm not convinced that a user is going to recognise the difference
between those two better than the difference between two strings
starting "facebook".

This is fundamentally why the proposal is that onion names be EV only -
because looking at the domain name is not a good way of determining the
owner, whether it's random or mnemonic.


More information about the Public mailing list