[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Future Onion Addresses and Human Factors

To: "tor-dev@xxxxxxxxxxxxxxxxxxxx" <tor-dev@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-dev] Future Onion Addresses and Human Factors
From: Alec Muffett <alecm@xxxxxx>
Date: Mon, 10 Aug 2015 21:36:22 +0000
Accept-language: en-GB, en-US
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 10 Aug 2015 17:36:37 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=rOKWqPWy7A8aIojfw82aX4TX6j3LpCjiTOJN3SJNCcs=; b=WfsWGeEen3UG9G7kmxvhAgfa0etheSBOycuu1RX5otelTSntsBRAi0XSQPdv+G7SJflu RGD7Gr2Te5HYsGDzPLIs86191xZWFH458bp5HpmGEgi3YwOAyZ0+btFa+xm0ukul1XAs kzImZo9C9t95bTK1CSGpQgvfjC9wRAhxdRY=
In-reply-to: <20150810210046.GD6584@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <47B25655-B3E2-4433-B9AB-FD6927E904F0@xxxxxx> <20150809224310.GK27919@xxxxxxxxx> <50EB131C-7A0F-4A65-9011-22957821D8E0@xxxxxxxxxx> <20150810210046.GD6584@xxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
Thread-index: AQHQ0c57wRH6oIviJkWEnQXTLUEUDJ4Eu0QAgACX+ICAAN3AAIAACfAA
Thread-topic: [tor-dev] Future Onion Addresses and Human Factors

On Aug 10, 2015, at 2:00 PM, Philipp Winter <phw@xxxxxxxxx> wrote:

Vanity addresses encourage people to only verify the human-readable part
of an address before clicking on it. That creates a false sense of
security, which is already exploited by spoofed onion service addresses
whose prefix and suffix mimics the original onion address.

That does strike me as a risk.

That said, if an address is completely incapable, even hostile to validation by human eyeballs, then what happens is âtrustâ migrates to using a bunch of tools which are forgeable, spoofable, hackable, trojanable.

The resultant risk might be worse for its greater resistance to detection.

-a

ps: for an investigation of what happens when you build a âcommunitiesâ app around ânon-human-readableâ barcodes and without a discovery mechanism, see this article; such innovation gives me great hope for humanity finding solutions to apparently high-friction technologies, but it also clearly hampers broader inclusiveness, the latter arguably being one of Torâs most important goals:

http://mashable.com/2014/10/24/hacks-facebook-rooms/

â

Alec Muffett

Security Infrastructure

Facebook Engineering

London

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Future Onion Addresses and Human Factors
  - From: Philipp Winter

References:
- [tor-dev] Future Onion Addresses and Human Factors
  - From: Alec Muffett
- Re: [tor-dev] Future Onion Addresses and Human Factors
  - From: Philipp Winter
- Re: [tor-dev] Future Onion Addresses and Human Factors
  - From: bernard
- Re: [tor-dev] Future Onion Addresses and Human Factors
  - From: Philipp Winter

Prev by Author: Re: [tor-dev] Future Onion Addresses and Human Factors
Next by Author: [tor-dev] IMPT -- Re: Future Onion Addresses and Human Factors
Previous by thread: Re: [tor-dev] Future Onion Addresses and Human Factors
Next by thread: Re: [tor-dev] Future Onion Addresses and Human Factors
Index(es):
- Author
- Thread