[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Dutch police break into webservers over hidden services
On 01.09.2011 13:24, Roger Dingledine wrote:
> Several people have asked us on irc about recent news articles like
> Apparently the Dutch police exploited vulnerabilities in the webservers
> reachable over the hidden services. Some people are confusing this issue
> with an attack on Tor. Tor just transports bytes back and forth. If you
> have an instant messaging conversation with a Tor user and convince her
> to tell you her address, did you break Tor? Having an http conversation
> with a webserver running over a Tor hidden service, and convincing it
> to tell you its address, is not much different.
> So what lessons can we learn here, other than the usual "criminals
> are not as smart as your average bear"? (If only we could count on bad
> people to run insecure software, and good people to secure their software
> correctly, the world would be a much simpler place.) One lesson is that
> there are a lot of non-Tor components that can go wrong in keeping a
> hidden service hidden -- just as we have a laundry list of security
> and privacy issues to consider when using Tor as a normal client (at
> the bottom of https://www.torproject.org/download/download.html.en )
> there's a whole other set of issues, mostly unexplored, for hidden
> service operators to keep in mind:
> tor-talk mailing list
Very intresting what is the vulnerabilities they used for breaking systems?
In the lite of that facts I don't know what I need to advice my clients
- setting up hidden services on their home computers or on overseas
vdses? (My clients are not providers of child pornography but they are
fighters with tyrannical regim).
The first method is the best from the point of view of information
defense but the second method is the best for defense of persons of
operators of that services...
tor-talk mailing list