[tor-dev] Tor HS keys password protection against impersonation attacks?

Fabio Pietrosanti (naif) lists at infosecurity.ch
Sun Mar 18 11:44:11 UTC 2012

On 3/18/12 3:34 AM, Jacob Appelbaum wrote:
>> That way even in case of seizure of the server running the Tor HS
>> it would not be possible to who seized the Tor HS Server to do actively
>> Impersonation attacks of the Tor HS.
> I think that's a great idea but also a UI nightmare; for servers, I
> think arm would need to support entering the key and for desktops, I
> think Vidalia is the obvious target. 

Well, for server it could also be possible to start implementing
something simpler such as a password inquiry on stdin like Apache does.

That way the "core functionalities" of the TorHS password protection may
be implemented and get used, while delegating to a second stage the
opportunity to unlock the key via Tor ControlPort for better UI integration.


More information about the tor-dev mailing list