[tor-dev] Hidden Service authorization UI

Gareth Owen gareth.owen at port.ac.uk
Mon Nov 10 10:27:15 UTC 2014


It is verifiable.  In authenticated hidden services, the introduction
points are first encrypted and then base64 encoded.  So a simple test is:
When base64 decoded, is the MSB bit set on any bytes ?  If yes, then it's
probably authenticated, otherwise not.

Note, you can use the Tor research framework to fetch any hidden service
descriptor, it will even parse the document and pull out the IP text.

Best
Gareth

On 10 November 2014 07:42, Andrea Shepard <andrea at torproject.org> wrote:

> On Sun, Nov 09, 2014 at 09:16:40PM -0500, Griffin Boyce wrote:
> > On 2014-11-09 15:30, Fabio Pietrosanti - lists wrote:
> > >On 11/9/14 8:58 PM, Jacob Appelbaum wrote:
> > >>>For example, it would be interesting if TBB would allow people to
> > >>>input a password/pubkey upon visiting a protected HS. Protected HSes
> > >>>can be recognized by looking at the "authentication-required"
> > >>>field of
> > >>>the HS descriptor. Typing your password on the browser is much more
> > >>>useable than editing a config file.
> > >>That sounds interesting.
> > >
> > >Also i love this idea but i would suggest to preserve the copy&paste
> > >self-authenticated URL property of TorHS, also in presence of
> > >authorization.
> >
> >   I'm conflicted about this idea.  Much better for usability ~but~
> > there should be an option for authenticated hidden services that
> > want to *not* prompt and instead fail silently if the key isn't in
> > the torrc (or x.y.onion url, depending on the design).
> >
> >   Use case: if someone finds my hidden service url written in my
> > planner while traveling across the border, they might visit it to
> > see what it contains. If it offers a prompt, then they know it
> > exists and can press me for the auth key (perhaps with an M4
> > carbine).  If there's no prompt and the request fails, then perhaps
> > it "used to exist" a long time ago, or I wrote down an example URL.
> >
> > best,
> > Griffin
>
> I believe it's verifiable whether an authenticated HS exists anyway; you
> can
> get the descriptor, but the list of intro points is encrypted.
>
> --
> Andrea Shepard
> <andrea at torproject.org>
> PGP fingerprint (ECC): BDF5 F867 8A52 4E4A BECF  DE79 A4FF BC34 F01D D536
> PGP fingerprint (RSA): 3611 95A4 0740 ED1B 7EA5  DF7E 4191 13D9 D0CF BDA5
>
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
>


-- 
Dr Gareth Owen
Senior Lecturer
Forensic Computing Course Leader
School of Computing, University of Portsmouth

*Office:* BK1.25
*Tel:* +44 (0)2392 84 (6423)
*Web*: ghowen.me
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20141110/16d3c49d/attachment-0001.html>


More information about the tor-dev mailing list