[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Hash Visualizations to Protect Against Onion Phishing

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Hash Visualizations to Protect Against Onion Phishing
From: Ian Goldberg <iang@xxxxxxxxxxxxxxx>
Date: Thu, 20 Aug 2015 11:00:51 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 20 Aug 2015 11:01:08 -0400
In-reply-to: <20150820144151.0be15b21@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <87a8tm2hop.fsf@xxxxxxxxxx> <55D5DC91.7010803@xxxxxxxxx> <87zj1m12j3.fsf@xxxxxxxxxx> <20150820144151.0be15b21@xxxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)

On Thu, Aug 20, 2015 at 02:41:51PM +0000, Yawning Angel wrote:
> What would be useful here is the number of onion addresses an average
> user visits.  If it's small, something like this would probably be
> sufficient:
> 
>  0. Browser generates/stores a long term salt.
> 
>  1. On onion access, calculate SHAKE(salt | onion address) map that to
>     a poker hand (5 card draw).
> 
>     P(52,5) = 311,875,200
>     C(52,5) = 2,598,960
> 
>  2. Goto 1.

The per-browser salt is a good way to prevent similar-hash attacks, but
of course will go astray if the user reinstalls her Tor Browser or has
multiple devices.

I'd caution about the poker hand, though.  One year when I taught
first-year undergraduate CS, we included an assignment that had to do
with decks of cards and card games.  A surprising number of people had
never seen decks of cards before, and were unfamiliar with the concept.
I did not observe whether the (un)familiarity was correlated with what
part of the world they came from.

Perhaps a notification "You've never visited this site before" that
pushes down from the top like some other notifications might go a long
way?
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Hash Visualizations to Protect Against Onion Phishing
  - From: Adam Shostack
- Re: [tor-dev] Hash Visualizations to Protect Against Onion Phishing
  - From: Yawning Angel

References:
- [tor-dev] Hash Visualizations to Protect Against Onion Phishing
  - From: George Kadianakis
- Re: [tor-dev] Hash Visualizations to Protect Against Onion Phishing
  - From: Jacek Wielemborek
- Re: [tor-dev] Hash Visualizations to Protect Against Onion Phishing
  - From: George Kadianakis
- Re: [tor-dev] Hash Visualizations to Protect Against Onion Phishing
  - From: Yawning Angel

Prev by Author: Re: [tor-dev] Draft Proposal: Random Number Generation During Tor Voting
Next by Author: Re: [tor-dev] Where are the GetTor downloads (e.g. GitHub)?
Previous by thread: Re: [tor-dev] Hash Visualizations to Protect Against Onion Phishing
Next by thread: Re: [tor-dev] Hash Visualizations to Protect Against Onion Phishing
Index(es):
- Author
- Thread