[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: The best way to run a hidden service: one or two computers?



On Mon, 20 Sep 2010 11:00:41 -0400
Gregory Maxwell <gmaxwell@xxxxxxxxx> wrote:

> On Fri, Sep 17, 2010 at 10:41 PM, Robert Ransom <rransom.8774@xxxxxxxxx> wrote:
> > If your hidden service really needs to be annoying to find, run it:
> >
> > * using only well-written, secure software,
> > * in a VM with no access to physical network hardware,
> > * on a (physical) computer with no non-hidden services of any kind
> > Ârunning on it (so that an attacker can't use Dr. Murdoch's âHot or
> > ÂNotâ clock-skew detection attack),
> > * and over a fast enough Internet connection that the adversary cannot
> > Âeasily determine your connection's speed.
> 
> I think you've missed some points.
> 
> * The (Virtual) machine running the hidden service should probably
> also have no _outbound_ network connectivity except via tor.
> 
> This is because it can be even easier to trick a software on a server
> into making a network connection than it is to remotely compromise the
> server. E.g. your GNU/Linux distribution may have installed some extra
> CGIs in your webserver that you are unaware of...

Yes.  I knew that, and forgot to mention it (at least in that list).

These defenses, and the attacks they are intended to block, need to be
written up in a (hidden?) wiki article, so people setting up sensitive
hidden services can read all of them in one place.

> And here is a potentially controversial suggestion, lets see what
> others say about it:
> 
> * You should run your hidden service behind tor bridges rather than
> directly connecting to the tor network.
> 
> The rationale for this suggestion is that it may make it more
> difficult for a network observer to enumerate a list of tor clients in
> order to apply things like the clock-skew attack or subject them to
> additional network surveillance.

No.  An attacker *will* find your entry guards (see
<http://freehaven.net/anonbib/date.html#hs-attack06>); you want them to
have as many clients as possible, so that you still have some chance of
getting lost in the crowd.


> > The above precautions are probably enough, unless a three-letter agency
> > (or four-letter association) knows about your hidden service and wants
> > to find and âneutralizeâ its operator.  In that case, you have to worry
> > about the near-global passive adversary and other threats that Tor
> > can't afford to defeat.
> 
> I fear that you're overstating the security provided.
> 
> For example, I think that if you managed to piss off the ISP community
> vigilantes that go after spammers and botnets that they would have a
> decent chance of tracking you down in spite of your efforts to stay
> hidden.

Probably.  The first time I read the Murdoch-ZieliÅski paper
<http://freehaven.net/anonbib/date.html#murdoch-pet2007>, I didn't
notice that someone was actually planning to use the sFlow data to
locate spammers.  


Robert Ransom

Attachment: signature.asc
Description: PGP signature