I believe the danger Alec was wanting to avoid was that someone (not the
onion service owner) could take an existing onion address, bump the
version number (which wouldn't change the vanity beginning of the
address), and upload the very same descriptor to the resulting blinded
address (under the new version number). Then the modified address would
work just like the original.
do we want to be teaching users that:
--- eh2tndsmiher4dqv266z5ii2xkt6brx2llwliq3jim233e5c5bc5, and --- eh2tndsmiher4dqv266z5ii2xkt6brx2llwliq3jim233e5d5bc5 ...are actually the same thing, but if and only if they differ in the N-5'th character?
… up front I'll just say that my perspective of this class of threat comes from observations like
a) people are creative, and if you give them malleability they will use it to create onion addresses including embedded "poop-emoji" and the like.
b) people generalise, so that having learned that $SOME_CHARACTER in an onion address is malleable, they will assume that most/all of them are and subsequently fall for phishing attacks.
c) people are, as a group, given the entire Tor prop224 ecosystem, infinitely more creative than I can be at finding ways to exploit it, therefore it makes sense to screw down the crypto to present as small an attack surface as possible.
An old programmer maxim is that one should provide for Zero, One, or an Infinite number of any resource.
Since we do not desire an infinite number of representations of an onion address (per Roger) - and zero would not be useful, we should shoot for one, and only one.
Not a cryptographic argument, but I think it's a human one. :-)
As mentioned elsewhere in the thread, this is solved if that descriptor
contains (under the signature by the "master" onion key) the actual
onion address you were expected to use to get there. Does it? If so,
I think we don't have to worry about this problem at all.
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev