[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Introducing Torsion, hidden service IM with real-world ambition

On Mar 26, 2014, at 11:46 PM, Elrippo <elrippo@xxxxxxxxxxxxxxxxx> wrote:
> Hy John.
> Nice idea. Are you considering a package for Linux also, aka a tarball with installing instructions?

You can get a tarball from https://github.com/special/torsion/releases, and build instructions are at https://github.com/special/torsion#linux.

I will be looking into building some common linux packages soon, too. If anyone wants to help with that, let me know.

I’ve also started taking translations via https://www.transifex.com/projects/p/torsion/ - more contributions there would be very appreciated.

On Mar 27, 2014, at 18:51:55 UTC, <michi1@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> You are always announcing your online status. Also, others may be able to
> measure changes in the latency of your internet connection. Depending on your
> implementation they may even be able to measure your bandwidth.

(Sorry, your mail was lost to me and I had to recreate it from an archive. Censorship!)

Yes. This is an area with a lot of room for improvement. There are a few that come to mind immediately:

1) The HS address is static and public now, to accept contact requests. Using a different address for requests, or using basic HS auth with a specific key for requests, would allow you to choose when you’re exposed to people outside of your contact list. Reducing the set of potential attackers is a start.

2) It would be interesting to see research on how accurately bandwidth and latency measurements over hidden service circuits could be used to identify the peer’s connection/upstream/location. It would also be interesting to see an analysis of whether deliberately throttling traffic would help solve this.

It will probably always be possible to track the connectivity of your peer and use that (in conjunction with DoS outside of Tor) to confirm a guess at your peer’s identity. This seems like a problem inherent to realtime messaging; but with 1) it could at least be limited to known contacts only.

> Can you be simultaneously online with the same "account" multiple devices
> (e.g. pc+mobile device)? You have only one hidden service address and where
> incoming messages are routed is up to chance.

No, which is why I haven’t put any work (yet?) into mobile. There has been some discussion of load balancing and multiple endpoints for hidden services; if those features were implemented, they might provide a path forward. Another option would be to have a persistent client somewhere to receive and forward your messages, similar to an IRC bouncer; that would do a better job of disguising where you’re connected from.

> That said, I guess it is still a nice design and it may be pretty hard to
> address these issues.

That’s what makes it interesting ;)


- John

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to