[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] hidden service on same location as public service

<juenca@xxxxxxxxx> wrote:
> i'm wonder if it makes any sense to allow users to access a public web server
> access normal at same time as hidden service on same machine?

- saves exit bandwidth
- will continue to work even if all exits are shut down
- exit policy/ports do not matter
- more diversity
- more legitimate hidden services
- Tor to Tor encryption is an alternative to SSL root CA's
- maybe: the server's ISP can not find out if the incoming/outgoing traffic is for the domain or from something else, i.e. a filesharing client over Tor

> The idea not about hiding the location of the server but protect user so
> server can't know where user comes from (yes, I can also disable logging)

Well, using a hidden service ensures that the server does not know the users IP, unless the user run some bogus setup like vanilla Firefox with Java/Flash. That's not so safe, since people can still connect insecurely using tor2web.

> Â
> the hidden service docs advise: make sure server isn't view-able on regular
> internet, but isnt' there still some use?

There is some use, see above.

That advice is to stay anonymous. Not everyone has this goal.

> Â
> also wondering if the use of hidden service like this will help fix problem
> of man-in-middle attacks on SSL like here:
> Â
> http://www.wired.com/threatlevel/2010/03/packet-forensics/
> Â
> actually, does Tor's encryption fall victim to this? if not, is HTTPS over
> hidden service redundant?

While SSL root CA's have been compromised at least twice in past (Comodo, DigiNotar), Tor's .onion have never been impersonated by breaking the encryption. Some argue .onion domains are to short (weak hash) and the encryption keys are to weak as well.

powered by Secure-Mail.biz - anonymous and secure e-mail accounts.

tor-talk mailing list