[tor-dev] Hash Visualizations to Protect Against Onion Phishing

Ian Goldberg iang at cs.uwaterloo.ca
Thu Aug 20 15:00:51 UTC 2015

On Thu, Aug 20, 2015 at 02:41:51PM +0000, Yawning Angel wrote:
> What would be useful here is the number of onion addresses an average
> user visits.  If it's small, something like this would probably be
> sufficient:
>  0. Browser generates/stores a long term salt.
>  1. On onion access, calculate SHAKE(salt | onion address) map that to
>     a poker hand (5 card draw).
>     P(52,5) = 311,875,200
>     C(52,5) = 2,598,960
>  2. Goto 1.

The per-browser salt is a good way to prevent similar-hash attacks, but
of course will go astray if the user reinstalls her Tor Browser or has
multiple devices.

I'd caution about the poker hand, though.  One year when I taught
first-year undergraduate CS, we included an assignment that had to do
with decks of cards and card games.  A surprising number of people had
never seen decks of cards before, and were unfamiliar with the concept.
I did not observe whether the (un)familiarity was correlated with what
part of the world they came from.

Perhaps a notification "You've never visited this site before" that
pushes down from the top like some other notifications might go a long

More information about the tor-dev mailing list