[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Facebook brute forcing hidden services

Got it. What's the behavior when two services have the same .onion address?

On 31/10/14 13:50, Mike Cardwell wrote:
> You don't get to pick the ".onion" address. It is derived from the key
> you randomly generated.
> However, you can just keep generating keys over and over again until
> you get one that matches what you want. People have been doing this
> to choose their own prefixes for a while now, but this is the first
> time I've seen somebody generate a full string of their own choosing.
> If facebook can do that, then so can GCHQ and NSA. And if they can
> do that, they can brute force a key which matches the .onion address
> of any existing hidden service. So they can then MITM hidden services.
> I don't think I'm being dramatic when I say this proves that Tor
> hidden services are now completely broken. I'd like somebody to
> show me that I'm wrong for some reason though...

David Rajchenbach-Teller, PhD
 Performance Team, Mozilla

Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to