[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Obfuscated URLs?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Obfuscated URLs?
From: Martin Fick <mogulguy@xxxxxxxxx>
Date: Tue, 30 Jun 2009 13:34:45 -0700 (PDT)
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Tue, 30 Jun 2009 16:34:47 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1246394085; bh=+g3JI9kE/tWj1A6LN13oVxTh4xdqzaQaBuQBe+j45Fo=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=XG5fYN3kd5Pkz0ONpTnJuAAphxytErfMiPfz3l4GkRgnDBwpyws36rtFy980zI5IlgpDXuYlpEQx4WTgeR/MY1o41eIHz3BjCd71Z+wGYa5FHk4xWhEPXwph0xUaKuWekES/RSJUJL1M5xQ6JOAdhXJB9M0M/mVMobORoMErH2o=
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=hs8TzK0KvfLs8ieG6A35RtdXU0onkclOsZv1tUzbwaBbkP8kh6QK4bbsTIa3GD75EUgm4iyZS0no34cxCbxXygImTqqhUULUqk5fLdRjmX6x8rLxKuL1Tx8HfwTKakLmZUgSrQayVQdoviofMzN85K1TXcIeZ9HFs8ZXUg0UH1U=;
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

--- On Tue, 6/30/09, Freemor <freemor@xxxxxxxxx> wrote:
> > I envision an onion encrypted URL along with the exact
> > path through tor (the three hops) also onion encrypted.  This
> > would be similar  to the way a client normally wraps requests through
> > tor, but the  wrapping would happen up front and then the wrapper
> > would become the "Obfuscated URL" which could be handed off to
> > someone else  obfuscating both the path through tor and the final
> > destination to the person receiving the "Obfuscated URL".  
> > 
> >
> 
> An interesting idea. I see two possible problems with it.
> Firstly I'm not sure storing the route is useful. Due to the nature
> of Tor some relays may not be up all the time so having them hard
> coded in the URL could be a path to failure. Also I am not sure
> there would be any security advantage (other then possibly specifying
> the exit node to keep it in a friendly jurisdiction or something ..
> but this too has it's potential problems (see next point).

Yes, I attempt to address the weak link idea in my reply 
to the previous poster, however a suggestion to eliminate 
this weak link is obviously desired.  

In my scenario, the point of hard coding the path is to 
obfuscate the final URL, how could this be done 
differently?  In this scenario, it requires all 3 nodes 
to decrypt the final URL, one node by itself cannot, 
this should provide the same protection that you get
today by surfing with tor, should it not?

> Secondly this idea seems more suited to malicious uses
> (obviscated URL to exploit site/etc) then to the more 
> dissident need for anonymity. (I could be wrong. I 
> welcome some examples to get me thinking in the right
> lines.). 

I don't see why this is more open to abuse than the
general tor network, could you explain your reasoning?

As for use cases, I envision that as a simple whistle 
blower or reporter, I would post my content on various 
free forums in an encrypted file and publish an 
obfuscated URL and password to the content.  This would 
be a lot simpler publishing mechanism, especially with 
helper programs potentially designed for this, or by 
adding the encryption directly to tor (and the 
password to the obfuscated URL) thus eliminating the 
need for the extra password, than setting up and 
maintaining a hidden service, and perhaps safer with 
respects to protecting my own anonymity.

> One of the reasons I say this is that if the
> information is not running on a hidden server 
> then it will most likely be found and shutdown. 
> Since anyone that could use these URLs would need
> to have TOR installed and running I'm having a 
> hard time seeing the advantage to this over a .onion 
> URL. (Again I welcome examples)

Again, as I mentioned to the previous poster, I
could make several URLs to the same content posted
in different places, this completely eliminates
the single point of failure which a hidden service
does not.  Of course, I could setup several hidden
services, but I think that you can see how that
would be much more complex than what I am 
proposing.

Add the extra encryption layer mentioned in my 
previous paragraph and I think that the content 
could be as well, or better protected than 
with a hidden service.

> Just my thoughts

Thanks for the feedback, :)

-Martin

Follow-Ups:
- Re: Obfuscated URLs?
  - From: Freemor

Prev by Author: Obfuscated URLs?
Next by Author: Re: Obfuscated URLs?
Previous by thread: Re: Obfuscated URLs?
Next by thread: Re: Obfuscated URLs?
Index(es):
- Author
- Thread