Re: [tor-talk] Warning: 37 new booby trapped onion sites
Juha, thank you for identifying the real and fake sites. This re-raises the question, when you get a URL from somewhere, how do you know it's the real one? Which upon further thought requires definition of "the real one." If two guys on the internet both claim to be John Doe, how is it possible to know which one is the real John Doe, or is there more than one, etc. If directories such as https://thehiddenwiki.org are going to publish .onion URL's, it would be useful to also publish user-verifiable information on why they believe it's the valid one. For example, it's been pointed out here, that you can search duckduckgo for their hidden URL on the regular internet. In which case, you're placing trust in the CA. (An attacker who can impersonate https://duckduckgo.com could feed you a fake result in order to add validity to the fake URL they've published on some site like thehiddenwiki). If somebody hosts a dark website, that doesn't have a verifiable external way to lookup their URL, then the only way you can verify them is to talk with a bunch of other people, web-of-trust style. Which also has a bunch of ways it can be undermined. In any event, Juha, in your list, how do you know which ones are real and fake? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] onion routing MITM
26. Jan 2016 18:37 by a55de...@opayq.com: > A CA will not validate a '.onion' address since it's not an official TLD > approved by ICANN. > I understand that. > The numbers aren't random. From Wikipedia: > "16-character alpha-semi-numeric hashes which are automatically generated > based on a public key <> https://en.wikipedia.org/wiki/Public_key> > when a > hidden > service > <> https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Hidden_services> > > is > configured. I also know what asymmetric keys and hashes are. The question is: From a user perspective, http://3g2upl4pq6kufc4m.onion just looks like random characters. (And in fact, if it's a hash of a public key, which was originally randomly generated, then indeed these *are* random characters). You obviously don't want to memorize a domain name such as this, and as a human, you're very bad at recognizing the difference between http://3g2upl4pq6kufc4m.onion and http://xmh57jrzrnw6insl.onion What prevents a person from registering a new .onion site, such as http://laobeqkdrj7bz9pq.onion and then relaying all its traffic to http://3g2upl4pq6kufc4m.onion, and trying to get people to believe that *they* are actually the duckduckgo .onion site? When you see a link like http://3g2upl4pq6kufc4m.onion somewhere on the web (such as thehiddenwiki.org) why would you believe it's the real URL that duckduckgo created, and not somebody doing a MITM? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] onion routing MITM
I'm new to tor, trying to understand some stuff. I understand the .onion TLD is not an officially recognized TLD, so it's not resolved by normal DNS servers. The FAQ seems to say that tor itself resolves these, not to an IP address, but to a hidden site somehow. When I look at thehiddenwiki.org, I see a bunch of .onion sites, with random looking names. Why is this? What if someone at thehiddenwiki.org registered a new .onion site (for example http://somerandomletters.onion), which then relayed traffic to duck-duck-go (http://3g2upl4pq6kufc4m.onion)? Thehiddenwiki could give me the link http://somerandomletters.org, and of course I would never know the difference between that and http://3g2upl4pq6kufc4m.onion Without trusting a CA to validate a site name, what prevents MITM attacks? Am I supposed to get the duckduckgo URL from a trusted friend of mine, and then always keep it? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk