Den 23 okt 2015 23:10 skrev "Philipp Winter" <[email protected]>: > > The Tor network uses self-authenticating names for onion services, e.g., > 3g2upl4pq6kufc4m.onion. These onion domains are difficult to recognise > and remember, which is one reason why some onion service providers > started generating vanity domains. The idea is to keep generating key > pairs until the hash's prefix contains a desirable string. Facebook got > a pretty good one with facebookcorewwwi.onion. > > Attackers have now started to impersonate onion services by generating > onion domains whose prefix resembles the original. An example is > DuckDuckGo's search engine: > > Original: 3g2upl4pq6kufc4m.onion > Impersonation: 3g2up5afx6n5miu4.onion > ^^^^^ > Users who encounter an impersonated onion domain might mistakenly assume > it's the original because they recognise the prefix. I worry that this > kind of phishing attack is particularly effective against vanity onion > domains because they might incentivise users disproportionately to only > verify the easily recognisable prefix. > > As a result, I wonder if vanity onion domains raise more problems than > they solve. Should onion domain generation be made deliberately slow to > render vanity onion domains and phishing attacks impractical? Should we > provide browser-based tools to manage onion domains instead of treating > them like normal, memorable domains? > > Thoughts?
They're representations of public keys. Treat them like all other representations of public keys. Don't expect the user to remember them exactly. Use bookmarks, phishing protected authentication (U2F / UAF), be careful with your sources. - Sent from my tablet
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
