[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Talks of hidden services and DNS

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Talks of hidden services and DNS
From: "Kasimir Gabert" <kasimir.g@xxxxxxxxx>
Date: Sun, 11 Mar 2007 20:22:10 -0600
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Sun, 11 Mar 2007 22:22:21 -0400
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pgQppT/t4XTUUasFchEAbVzfD3PpbPZ5511JkF2Chcptxo3XMYOdLpK58O0HdJ110dsRgzKtHDnGyD4T4lGXoV32S14YhKmz7TvjjZarOKWxm+sh+1zDMyPQMapijFZAcj0Dz0iXQiV7Dck/wpas/UAydQMysZ+SxgLO6qtgWuA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=NnV0MSyJ8giNxYwIpsggAR+i7ZzJ+Om73EvlJ87fZEaykp55rO5sRiKcbH42O9aIUUktbY5nt5m51tlGxpnXm+kb/RkAJ1kHKcpLjvIeCJHOkGMsoKunLCUxh7sY8Cphg44fosNvBUd0bn8E/fGYrScf/XTNKY4cYGEAlo8HtL0=
In-reply-to: <200703112117.01157.torspam@metasploit.com>
References: <52836a540703110840w7b7f1b6elcf6757913d400521@mail.gmail.com> <1bd71ad80703111129v5d3467fev11a825aad98810ed@mail.gmail.com> <52836a540703111910t3d6b0f5dm1bee5c409fdbb67b@mail.gmail.com> <200703112117.01157.torspam@metasploit.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

Hello HD,

I think that the only way it would work would be a first come, first
serve basis.  I do not think that authentication would be required,
although we could limit the amount of domains per onion address so
that we do not have one user taking up 500,000 domains or something.
The registrar could also run a program to make sure that there
actually is a website (or server) running at the hidden onion address.
I think this way it would be too much hassle without any gain for
someone to destroy the DNS network.

The way that I see it would be all of the current hidden servers would
quickly get a name that they choose, and then as new servers come on
names should be readily available.

This all depends on how .onion addresses are assigned.  For example,
could one server have more than one .onion address?  Could it have
500?

And also, should the registrar servers drop .hidden.int. or .hidden.
domains after a week or so of not being able to contact the .onion.?

On 3/11/07, H D Moore <torspam@xxxxxxxxxxxxxx> wrote:

The tricky part will be deciding who is authoritative for the DNS records.
If any user can submit a name, what if its already taken? Does it
overwrite, or is it first-come, first-serve? If its distributed, then a
rogue operator could serve false responses for a target name. If this is
something that the tor "core" would operate, it still needs some form of
authentication to manage/update/remove/etc.... and authentication seems
to be the exact opposite of what tor is supposed to provide.

-HD

On Sunday 11 March 2007 21:10, Kasimir Gabert wrote:
> I do not see any major security holes that this would bring up. It
> seems to me like it would be the same as accessing google.com through
> Tor -- the DNS is looked up through Tor and so it would not be
> overridden by a malicious ISP or country.

--
Kasimir Gabert

References:
- Talks of hidden services and DNS
  - From: Kasimir Gabert
- Re: Talks of hidden services and DNS
  - From: Michael_google gmail_Gersten
- Re: Talks of hidden services and DNS
  - From: Kasimir Gabert
- Re: Talks of hidden services and DNS
  - From: H D Moore

Prev by Author: Re: Talks of hidden services and DNS
Next by Author: Re: Re[2]: Ultimate solution
Previous by thread: Re: Talks of hidden services and DNS
Next by thread: Re: Talks of hidden services and DNS
Index(es):
- Author
- Thread