[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Onioncat and Tor Hidden Services V3



On 13.09.19 00:27, grarpamp wrote:
> On 8/20/19, Bernhard R. Fischer <bf@xxxxxxxxxxxxxxxx> wrote:
>> I finally wrote a HOWTO on using OnionCat with v3 hidden services. I
>> also did some patches to OnionCat to have a better integration.
>>
>> https://www.onioncat.org/2019/08/onioncat-and-tor-hidden-services-v3/
> Thanks.
>
> Rather than tor killing off v2 onions and HSDirs from the
> codebase, thus ending all the good useful carefully chosen
> and even required reasons people still use v2 and onioncat
> (some of which can be found by searching list archives
> for onioncat, P2P, VoIP, add more uses here)...


The article shows, that it is possible to use OnionCat with HSv3,
although v3 kills the full automatic addressing method.

For having a full automatic addressing (i.e. association between v3-id
und IPv6) some kind of lookup mechanism is necessary. Although this
could theoretically be managed by DNS, this is NOT a solution because of
the well-known DNS leakage problem (and because the private network's
reverse delegations are not globally registered and would need some
workaround).

IMO a solution could be a HSv3-HSv2 compatibility system within the HS
directory let's call it HSv23.

I propose to create HSv23 entries in the HS dir, which are almost the
same as HSv2 but with an additional field including the HSv3-id and the
signature is created by the HSv3 key. The index (i.e. the onion-id) of
the HSv2a entry is an 80 bit truncated HSv3 id.

The lookup then works as follows:

1. Convert IPv6 to onion-id (80 bit)
2. Retreive the HSv23 entry of the HS dir
3. Retreive the HSv3 entry
4. Check signatures of HSv23 und HSv3 entry
5. Connect to HSv3 service

Recently, I also wrote an Security Considerations article on OnionCat
which also includes a short discussion of the Hsv2/Hsv3 security in
respect to OnionCat:
https://www.onioncat.org/2019/08/onioncat-security-considerations/

Best regards,
Bernhard




-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk