[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Dutch police break into webservers over hidden services



Several people have asked us on irc about recent news articles like
http://wireupdate.com/wires/19812/dutch-police-infiltrate-hidden-child-porn-websites-in-the-u-s/

Apparently the Dutch police exploited vulnerabilities in the webservers
reachable over the hidden services. Some people are confusing this issue
with an attack on Tor. Tor just transports bytes back and forth. If you
have an instant messaging conversation with a Tor user and convince her
to tell you her address, did you break Tor? Having an http conversation
with a webserver running over a Tor hidden service, and convincing it
to tell you its address, is not much different.

So what lessons can we learn here, other than the usual "criminals
are not as smart as your average bear"? (If only we could count on bad
people to run insecure software, and good people to secure their software
correctly, the world would be a much simpler place.) One lesson is that
there are a lot of non-Tor components that can go wrong in keeping a
hidden service hidden -- just as we have a laundry list of security
and privacy issues to consider when using Tor as a normal client (at
the bottom of https://www.torproject.org/download/download.html.en )
there's a whole other set of issues, mostly unexplored, for hidden
service operators to keep in mind:
https://www.torproject.org/docs/tor-hidden-service.html.en#three

--Roger

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk