[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Tor official list of new .onion addresses?
- To: tor-talk@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [tor-talk] Tor official list of new .onion addresses?
- From: s7r <s7r@xxxxxxxxxx>
- Date: Mon, 3 Dec 2018 23:35:20 +0200
- Autocrypt: addr=s7r@xxxxxxxxxx; keydata= xsBNBE9BogQBCADazBiEe0PGTgeUJ/JU4BDvdE2ZFD+MUOgf3+n78F6mXTxcLgyiE/3E4rA5 Sy3NzVRjqjzyn/MyDJDbsRpSKT6uVT5thYNyfDNBNqYmqdVS8Gu+H90z78x1WJ+DxVawk4IM mi8jmKcwlz7hOGROsR0+NyWjyghlzNHVgiJkWIvp5AVDg4F6o2oCH/vBbgomu3Ho5r7fiRZg I0uxsMLIkRI8bwB3SlVi3n4a94ZI2R9rXD9KNWzW4OT5LnICW1d/cuktwVBQRxGE6KFtVDzI chjuDWFaT9p6qROqoBRbsGF/mLg/sb26dwRxb7CnxfCWJn10ZGWo8jG6MM/QKEcxSj0JABEB AAHNNHM3ckBza3ktaXAub3JnIChBbm9ueW1pdHkgbWF0dGVycyEpIDxzN3JAc2t5LWlwLm9y Zz7CwHgEEwECACIFAk9BogQCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIN/pSyB JlsRbkQH/jfe6F9nbwwFBo2DuNJ+Ci2IpZEco1P6rWh2l3AzG0vOD82nYJ5uFIw+0v615tW8 WWNfeIsrbCRnmOAx8NGkGsk/j+SRJb41pQ79tyxdBg7txcbT9bAdcaImYoBBp+1bnyrAaROB 1wDq0jKX09ofKrrAUWOlddASpIBG5uKMLhHe1X14lmvgGHWDPHKrw4yzBN/nNfXYr+Ayjt9s NM6JETHIgqO6uvchiT20v2/SzD3FlysROkPeoFjGWUwAqH2r7RQyDLF6EoqkrcuwvjFXiOFE nFdNRbHQsKYXPhbk2JUiFQQcdLtJg6iaoRBnhATl4V6soP2EHYn3K1bz+eYL+ATOwE0ET0Gi BAEIAMO7MGEfdMn72SQAK0m5rcEPj3mtSRRokMHl3YBNjFbj3O4QAwjpKBJ7RuPdF9B9IDAP a7mc+f33mpIgRnxKDwkjswPk74mMQRxe2wgv4AQ7yBICYYK99e6RYP0LC1PDIGXFPLjs0Teu QAxASFvNycC5JSfQUsAI3OTQjaGUaiUfavmJYkn9B6C2ktQgvM7qbxJvLP5X02tgp4G4gNiu 8ZA3aOUdX+8EQwERJZ8CuA/R6/2M2nEO3YRCsxaYSzob7nicjfoPvyvSYu3zXRFj+3uvDOK6 AGNILmftVUoRQ6/WsNaAQX42cDfSNYQ8uZ/zgTGatO3ArNb1uqWbMdbUA5sAEQEAAcLAXwQY AQIACQUCT0GiBAIbDAAKCRCDf6UsgSZbEZjSB/41TviTCxdiS4PLSDrQ3GOmQPpWZRk/O1tv 3y6T9p0XuC/oq6kKfToKuV2/Ok+589rtmrXhjzdk2otDKCRGejJFpVoU/vfR+jokArzpwyPa TWDAhMGmf5wmEAojsiOc9Zgj/CuS5nd/eLFi4QGtbLoDLrTrQSXB4qR0zJFoQfykVaERT2dm UV/D22opJc8jo3UBOBckgGi9jBi/2OvwEiFcZSl1u9Qi4+gbINOObQF5a0h9ReZCT1BUs5FV DSXBBYZTJJ2flnZH69Mb+9KxRMyqjhRzyGDUfY73SYlCpKX9buWMl0CCsDx+GrRVSxvQnA8b aSq1wlfKsJBimGtSAqf8
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Mon, 03 Dec 2018 16:36:01 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org; s=20110108; t=1543872947; bh=FSaJ5qvaedNGOiIPq0roH2OFrdJ0Adr+4cUTuxPjFFE=; h=Reply-To:Subject:To:References:From:Date:In-Reply-To; b=ZNwDLhUj1QkFlOKARysyb7AdITBLzHVoLw31iWpmik5bZoEe2N/M11KYBcFYwlGKj FJYMVqebMnrb/Vbtq9UQMvqHtyaVGz0EZdzrQHCzl6JwKLpqbxyFvZbos+tUk88pqk e2Fmqnu+Qn1vNS+KEf7h50/vwsLhc1q1k8n2ICqI=
- In-reply-to: <CAKNc95GxpenNydH=ebtbr=jQTtRX9jBkJrTpwZb75kJC7aXLUQ@mail.gmail.com>
- List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
- List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
- List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
- List-post: <mailto:tor-talk@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
- Openpgp: preference=signencrypt
- References: <7acae6c647e93a409625eab301ab48b2@cock.li> <CAKNc95GxpenNydH=ebtbr=jQTtRX9jBkJrTpwZb75kJC7aXLUQ@mail.gmail.com>
- Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
- User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.2
Hello,
Nathaniel Suchy wrote:
> Consider the consequences of publishing the actual addresses. The number of
> addresses is fine but the actual addresses should stay private for privacy
> and security reasons.
>
> I’m aware there are crawers looking for new services to show however if the
> address is kept private only rouge HSDIRs are an issue and we can always
> generate new addresses and delete the old keys.
>
> I am running some Onion Services for SSH (clearnet disabled, you’ll need to
> be physically present if Tor has an issue!) and while I require SSH Keys
> it’d open a huge attack surface I’m trying to avoid. It’s basicaly an
> attempt at security by really advanced obscurity.
>
Relying on the fact that nobody can ever learn the onion addresses you
have is a terrible security policy. This can be never guaranteed, as
relays are public and anyone can run one, thus become hidden service
directory as soon it meets the necessary flags.
You should be prepared and assume the onion address is known, thus
defend with ssh keys instead of weak passwords, possibly even change the
default port (this does not add security but bypasses some automated
brute force tools, it's no help for targeted manual attack so don't rely
either).
There are other techniques lower at little-t-tor protocol level that
suite your concerns, like HiddenServiceAuthorizeClient - you should
better look into those if you are concerned about someone trying to
connect to your onion address. These are neat for some services that
need privacy and need to not advertise to the unauthorized access users
that they are online up and running or only allow limited access to some
users that provide additional credentials or auth material other than
just knowing the onion address.
Onion addresses have the purpose to conceal the physical (IP) location
of the service, but the addresses themselves have to be prepared to be
known to the world, for a strong security policy. Tor documentation
clearly states this.
If you open ssh on an onion address and you allow root login with
password "1234" IT IS NOT Tor's FAULT YOU WERE PWNED. It is just a
terrible security policy. Do not do this.
*Hope for the best, prepare for the worst!*
Attachment:
signature.asc
Description: OpenPGP digital signature
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk