[tor-dev] Proposition: Applying an AONT to Prop224 addresses?

Ian Goldberg iang at cs.uwaterloo.ca
Mon Apr 3 14:48:26 UTC 2017

On Mon, Apr 03, 2017 at 02:53:17PM +0100, Alec Muffett wrote:
> On 3 April 2017 at 13:04, George Kadianakis <desnacked at riseup.net> wrote:
> > I'm calling it weird because I'm not sure how an
> > attacker can profit from being able to provide two addresses that
> > correspond to the same key, but I can probably come up with a few
> > scenarios if I think about it.
> Hi George!
> I'll agree it's a weird edge case :-)
> I think the reason my spider-sense is tingling is because years of cleaning
> up after intrusions has taught me that sysadmins and human beings are very
> bad at non-canonical address formats, especially where they combine them
> with either blacklisting, or else case-statements-with-default-conditions.
> If one creates scope for saying "the address is <foo>.onion but you can
> actually use <foo'>.onion or <foo''>.onion which are equivalent" - then
> someone will somehow leverage that either a) for hackery, or b) for social
> engineering.
> Compare:
> * http://017700000001
> * http://2130706433
> * http://0177.0.0.1  <- this one tends to surprise people
> *
> …and the sort of fun shenanigans that can be done with those "equivalent
> forms"
> People who've been trained not to type [X] into their browser, might be
> convinced to type [X']
> It's a lot easier for people to cope with there being one-and-only-one
> viable form for any given hostname or address-representation.

But as I said to Alec in AMS, anyone on the internet can register
"facebook.mydomain.com" and have the A record point to the same thing as
facebook.com.  So there are always alternate names for any given
website.  TLS, of course, is designed to protect against these

Prop224 *also* (mostly) protects against these shenanigans, because even
if there were two onion addresses that resolved to the same pubkey, the
daily blinded version incorporates the original onion address (not just
the pubkey, right?  *Right?*), so the alternate address-with-same-pubkey
won't actually point anywhere.  However, an adversary can upload a
descriptor there; I'm not sure what the implications of that are just

The other thing to remember is that didn't we already say that




will mean the same thing?  So we're already past the "one (st)ring to
rule them all" point?

   - Ian

More information about the tor-dev mailing list