[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Isn't it time to ADMIT that Tor is cracked by now??
Tor is very secure software but its time we redesign hidden services to be
faster and more secure. We should bundle a hidden service server which
won't connect to the internet except through Tor and only knows it's Tor IP
address.
On Aug 25, 2013 7:58 PM, "Roger Dingledine" <arma@xxxxxxx> wrote:
> On Sun, Aug 25, 2013 at 05:05:26PM -0400, hikki@xxxxxxxxxxxxx wrote:
> > The US feds did actually take down FH, which was a HIDDEN SERVICE! They
> > found it and arrested the admin! Period!
>
> Reminds me of my response when in 2011 some Dutch police broke into
> a hidden service:
> https://lists.torproject.org/pipermail/tor-talk/2011-September/021198.html
>
> "If you have an instant messaging conversation with a Tor user and
> convince her to tell you her address, did you break Tor? Having an
> http conversation with a webserver running over a Tor hidden service,
> and convincing it to tell you its address, is not much different."
>
> We don't know in this case if they did it through exploiting the software
> running on the other end of the hidden service, or by the old "follow
> the money" trick, or by having an insider provide the info, or what.
>
> It could in fact have been by attacking the Tor protocol directly (see
> below). But I think in many cases, even with the various known weaknesses,
> the above "just bypass Tor and attack them in other ways" approaches
> are even easier. (This observation should scare you more, not less.)
>
> The fact that somebody started serving malware on the various hidden
> services:
>
> https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable
> makes me think that they got in via the software running the webserver.
> I mean, heck, I heard he let strangers run php scripts in his webserver.
>
> For another case of a hidden service being compromised, see
> https://blog.torproject.org/blog/trip-report-october-fbi-conference
> The summary sentence there is "Way before they switched to a Tor hidden
> service, the two main people used Hushmail to communicate."
>
> > If they can find hidden services, finding regular tor clients would be
> even
> > easier!
>
> This part is unfortunately (well, ok maybe fortunately, but either
> way) false. Hidden services are weaker than normal Tor circuits for two
> reasons: a) they stay in the same place over time, and b) you, the user,
> can choose how often they make circuits. These two properties combine
> to produce a variety of other problems. I described some of them briefly
> in the 29c3 talk this past December, but see
> https://blog.torproject.org/blog/hidden-services-need-some-love for
> many more details, including references to academic papers on the topic.
>
> --Roger
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsusbscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk