[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] How easy are Tor hidden services to locate?
-----BEGIN PGP SIGNED MESSAGE-----
On 06/03/13 20:00, Griffin Boyce wrote:
>>> Hidden services are definitely weaker than regular Tor
>>> circuits, a) because the adversary can induce them to speak,
>> Care to elaborate on that? You mean timing attacks (based on the
>> fact that hidden servers 'speak' to clients?) ? Or the owner of
>> the service leaking information about himself by mistake? Or?
> If a given service allows uploads, for example, it's frequently
> possible to then upload something to broadcast the server address.
> But if a server is unpatched, or someone has some Apache 0day
> they've been saving up, it's pretty easy to determine the location
> that way as well.
This is why ideally you'd run the hidden service from a machine that
doesn't know it's real IP, and has no way of figuring it out. Eg, use
a VM which has all of it's traffic transparently routed through Tor by
Of course, there may still be bugs in the virtualisation software that
allow an attacker to break out of the VM, but this is considerably
more secure than relying on the security of whatever PHP application
you're using on your website. Or you could just use two physical
machines instead of a VM, and hope there are no bugs in Tor its self.
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
tor-talk mailing list