[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Risks of using custom .onion addresses



BM-2D8jTRi23DYth7WhMALDHSVhdFWP91ZcqA@xxxxxxxxxxxxx writes:

> Hi,
>
> I'm wondering how safe is it to use custom hidden service names (.onion).
> I'm not asking this for public hidden services but for private ones (only
> for myself or for friends). Using an easy to remember address just for
> using TorChat could be a good example. Or it could be a personal cloud on
> a hidden service.
>
> I'm actually wondering, who and how many people-server knows-learn about
> my hidden service name, this is necessary to connect to a hidden service,
> right? Can they be trusted or not?
>
> Some specific examples for my question could be, myrealnamexxxxxx.onion
> homeaddressxxxxx.onion mycitynamexxxxxx.onion etc. which I'm asking, is it
> ok for the "private" addresses to contain such risky information?
>
> Another question is, let's say I create and use some custom addresses
> where each contain the same prefixes (or suffixes or simply have any
> connection) like customnameasdasd.onion customname123123.onion
> customname123456.onion etc. Can anybody notice that some people are using
> some probably related custom .onion addresses at some certain times. Is
> this kind of usage risky?
>
> There might be more examples about the risks of using custom addresses.
> Please answer in detail as this could be useful for many people.

Greetings,

with the current Hidden Service protocol, your onion address is leaked
to a small number of Tor relays -- specifically, your onion address is
leaked to the HSDirs that host and serve the descriptor of your Hidden
Service (That's 6 HSDirs per time period and they rotate every some
hours.).

If your threat model includes those HSDirs being malicious (which
should probably be the case), then I would advise you to not do stuff
like homeaddressxxxxx.onion.

For what it's worth, there has recently been some discussion on
plugging that leak. You can find more information in:
https://lists.torproject.org/pipermail/tor-dev/2013-August/005280.html
https://trac.torproject.org/projects/tor/ticket/8106

cheerio!
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk