[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposition: Applying an AONT to Prop224 addresses?

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Proposition: Applying an AONT to Prop224 addresses?
From: Roger Dingledine <arma@xxxxxxx>
Date: Mon, 3 Apr 2017 13:50:31 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 03 Apr 2017 13:50:47 -0400
In-reply-to: <20170403144826.GA28540@thunk.cs.uwaterloo.ca>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAFWeb9+Z8BvVvxsDNsCVZ5YJx3id+fLdefcT0_u+hzcvJhftnA@mail.gmail.com> <20170326201958.GU28540@thunk.cs.uwaterloo.ca> <20170326204218.GX28540@thunk.cs.uwaterloo.ca> <CAFWeb9J-Hozkh4uzMYfM+-4V2tShH1+xT5nBf=kCpL4UNzZtAQ@mail.gmail.com> <20170327055942.GY28540@thunk.cs.uwaterloo.ca> <20170327085834.GZ28540@thunk.cs.uwaterloo.ca> <87zifxd7ds.fsf@riseup.net> <CAFWeb9JjchfFC+wivmTy6gb8cAokhqrrTGo=UEH9ZdnwCDpfeQ@mail.gmail.com> <20170403144826.GA28540@thunk.cs.uwaterloo.ca>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.20 (2009-12-10)

On Mon, Apr 03, 2017 at 10:48:26AM -0400, Ian Goldberg wrote:
> The other thing to remember is that didn't we already say that
> 
> facebookgbiyeqv3ebtjnlntwyvjoa2n7rvpnnaryd4a.onion
> 
> and
> 
> face-book-gbiy-eqv3-ebtj-nlnt-wyvj-oa2n-7rvp-nnar-yd4a.onion
> 
> will mean the same thing?

Did we? I admit that I haven't been paying enough attention to anything
lately, but last I checked, we thought that was a terrible idea because
people can make a bunch of different versions of the address, and use
them as tracking mechanisms for users. (For example, I put two versions
of the same address on my two different pages, and now when somebody goes
to that onion address, I can distinguish which page they came from. In
the extreme versions of this idea, I give a unique version of my address
to the target, and then I can spot him when he uses it.)

Ultimately the problem is that the browser is too good at giving away
the hostname that it thinks it's going to -- in various headers, in
cross-site isolation, etc etc.

So, if we have indeed decided to allow many versions of format for
onion addresses, I hope we thought through this attack and decided it
was worth it. :)

--Roger

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- Re: [tor-dev] Proposition: Applying an AONT to Prop224 addresses?
  - From: George Kadianakis
- Re: [tor-dev] Proposition: Applying an AONT to Prop224 addresses?
  - From: Alec Muffett
- Re: [tor-dev] Proposition: Applying an AONT to Prop224 addresses?
  - From: Ian Goldberg

Prev by Author: [tor-dev] Thoughts on the Counter-RAPTOR paper
Next by Author: Re: [tor-dev] Anonymous Local Count Statistics Using PCSA - GSoC
Previous by thread: Re: [tor-dev] Action items wrt ed25519 onion address verification in prop224 (was Re: Proposition: Applying an AONT to Prop224 addresses?)
Next by thread: Re: [tor-dev] ***SPAM*** Re: Proposition: Applying an AONT to Prop224 addresses?
Index(es):
- Author
- Thread