* on the Fri, Oct 31, 2014 at 01:44:46PM +0100, David Rajchenbach-Teller wrote: >> tl;dr You can now log into facebook via a Hidden Service. >> >> -T > > That's the part I understood. The part I didn't understand is how this > is related to bruteforcing. You don't get to pick the ".onion" address. It is derived from the key you randomly generated. However, you can just keep generating keys over and over again until you get one that matches what you want. People have been doing this to choose their own prefixes for a while now, but this is the first time I've seen somebody generate a full string of their own choosing. If facebook can do that, then so can GCHQ and NSA. And if they can do that, they can brute force a key which matches the .onion address of any existing hidden service. So they can then MITM hidden services. I don't think I'm being dramatic when I say this proves that Tor hidden services are now completely broken. I'd like somebody to show me that I'm wrong for some reason though... -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk