Re: Example hidden service issue

[Karsten Loesing <karsten.loesing@xxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> The problem is that:
> http://tor.eff.org/docs/tor-hidden-service.html.en
> instructs the user to first test the setup with
> Google as hidden service, and then switch to the real on,
> using the same onion address:
> 
> |Step Three: Connect your web server to your hidden service
> |
> |This part is very simple. Open up your torrc again, and change the
> |HiddenServicePort line from "www.google.com:80" to "localhost:5222".
> |Then restart Tor. Make sure that it's working by reloading your hidden
> |service hostname in your browser.
> 
> Sounds like a pretty bad idea to me too.

May sound like a bad idea, but does no harm at all.

Google does not learn from your tests that you are providing a hidden
service for it. The connections made during your tests are
indistinguishable from other direct connections you make to Google
everyday. There is no remark in them that they belong to a hidden
service request.

The only thing you should NOT do when setting up a hidden service after
the above mentioned howto is to give the onion address to Google BEFORE
changing to your own server. They could perform an altered request over
Tor (e.g. for a non-existing resource) and find out which IP address
requested that resource.

In case you want to be absolutely sure, you can simply switch to a new
onion address by deleting the hidden service key stored in your local
hidden service directory. That forces Tor to create a new key, and you
have a new onion address.

Karsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGDoIM0M+WPffBEmURAp0zAJ9gSQiR2ea7y31cezm9QgpavQUFEgCfao/u
IG8zijtXHWTMN87+BXCkJCI=
=5Ekx
-----END PGP SIGNATURE-----