Re: Example hidden service issue

[Mike Cardwell <tor@xxxxxxxxxxxxxxxxxx>]

* on the Sat, Mar 31, 2007 at 05:49:53PM +0100, Mike Cardwell wrote:

> That's exactly the way I should have described the issue in my original
> post. I didn't think I'd need to spell it out in so much detail. :)
> 
> If you assume that everyone that has set up a hidden service has done
> the google test as described in the documentation and hasn't then
> changed the onion address afterwards. Also assume that google logs the
> Host header, eg using apache common+host format and that they archive
> the logs. This gives google the ability to grep for an onion address and
> get the real ip of the hidden service if they're ever "asked" for it.

Further to this, there is still a problem even if you *do* change the
onion address after doing the test. The fact that google can see that
someone was testing setting up a hidden tor service from a particular IP
on a particular date is often going to be enough info to expose the
*probable* real location of a hidden service.

Mike