[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: user vulnerability in directory data?



On Thu, Dec 07, 2006 at 08:39:09AM +0800, John Kimble wrote:
> On 12/7/06, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
> [...]
> >
> >Here's what Tor stores in the data directory.  I've tried to annotate
> >the security implications of stuff, but I might have missed
> >something.
> >
> [...]
> 
> For completeness, though it's probably not very common for Torpark
> users to set up hidden services, there's also hidden_service/hostname
> and hidden_service/private_key. It's rather damaging if an adversary
> can get hold of these.

Ah, good catch, but those don't go in the data directory.  They go in
the directory configured by HiddenServiceDir.  There is one such
directory per hidden service.  Its contents are as you describe:

   hostname -- the <base32-encoded-fingerprint>.onion domain name for
      this hidden service.

   private_key -- the private key for this hidden service.

Both are sensitive.  The former lets an attacker tell what hidden
services you've been running.  The latter lets an attacker impersonate
your hidden service.

yrs,
-- 
Nick Mathewson

Attachment: pgpJGRJ0kcchN.pgp
Description: PGP signature