[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Facebook brute forcing hidden services



* on the Fri, Oct 31, 2014 at 08:54:27AM -0400, Roger Dingledine wrote:

>> https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237
>> 
>> So Facebook have managed to brute force a hidden service key for:
>> 
>> http://facebookcorewwwi.onion/ 
>> 
>> If they have the resources to do that, what's to stop them brute
>> forcing a key for any other existing hidden service?
> 
> I talked to them about this. The short answer is that they did the vanity
> name thing for the first half of it ("facebook"), which is only 40 bits
> so it's possible to generate keys over and over until you get some keys
> whose first 40 bits of the hash match the string you want.

Getting one ending "corewwwi" seems incredibly lucky to me. Did they tell
you how many keys they generated starting with "facebook" and how long it
took them?

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4

Attachment: signature.asc
Description: Digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk