[tor-dev] Hash Visualizations to Protect Against Onion Phishing
ncl at cock.li
ncl at cock.li
Sun Aug 30 23:40:30 UTC 2015
I came across this thread from the weekly news post for this week, so
please excuse me if I've missed some from just skimming through the posts.
Having randomart/gravatars/poems/etc seems like a rather interesting
topic, but seriously adding it to tor, there seems to be a few problems
in my mind:
a) This doesn't stop someone from phishing if the target has never seen
the hs address before. (proving identities is another issue though I
guess, the focus on this discussion being how to implement TOFU.)
b) People's memories are imperfect and even if with a system that may
generate wildly distinct results even with similar addresses,
remembering a number of those will become a blur.
c) This all seems rather complicated.
Since the point seems to just be keeping a record that addresses match
once you're reasonably sure you've found the right one, wouldn't
something of an "address book" be much simpler and easier? It might not
even need to be a feature of tor/tbb, but maybe just a tip to users.
It could be something as simple as a gpg-encrypted text file if you're
worried about leaking sites you visit.
(I hope I don't get much about using "gpg" and "simple" in the same
Another few things popped up in my mind while thinking about this:
- Should tbb distribute hsts preload-like lists for HS's (eg
- A set of guidelines should be published on how an HS owner should
prove their identity. (wouldn't want another sigaint incident!)
- Can/should a system be set up to monitor HS addresses that are
similar to existing ones?
- For HS's which do not need to be as anonymous, should a tor-specific
CA be created, or be encouraged to try and use a CA as a means of
A tor-specific CA might be better, since an attacker might be able to
get their phishing cert signed. If the previous point is implemented,
more precautions could be put in place to verify an HS's identity.
More information about the tor-dev