[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Example hidden service issue



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

>> That's exactly the way I should have described the issue in my original
>> post. I didn't think I'd need to spell it out in so much detail. :)

Was that me confusing everyone?! :( Sorry for that, my fault! The
descriptions above seem right to me.

>> If you assume that everyone that has set up a hidden service has done
>> the google test as described in the documentation and hasn't then
>> changed the onion address afterwards. Also assume that google logs the
>> Host header, eg using apache common+host format and that they archive
>> the logs. This gives google the ability to grep for an onion address and
>> get the real ip of the hidden service if they're ever "asked" for it.
> 
> Further to this, there is still a problem even if you *do* change the
> onion address after doing the test. The fact that google can see that
> someone was testing setting up a hidden tor service from a particular IP
> on a particular date is often going to be enough info to expose the
> *probable* real location of a hidden service.

These could indeed be new threats to hidden services; the first being
more threatening than the second. I could imagine that nobody has ever
thought about an untrustworthy (to be hidden) server, but only about all
the other untrustworthy nodes in the network. I assume I also need more
thinking on that... and more coffee...

Maybe it could help to switch steps one and two in the howto? First set
up the web server and try if it's available over http://localhost:5222,
and then make it available over Tor. Or is there a special reason for
this order that I overlooked?

Karsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGDpqy0M+WPffBEmURAqIdAJ91mYQp37R9vfW4IbJXPtTUF9twfwCfWlUK
ziM7iOR7SiSP3j2eaEQvR34=
=djF6
-----END PGP SIGNATURE-----