[tor-dev] Proposition: Applying an AONT to Prop224 addresses?

Alec Muffett alec.muffett at gmail.com
Mon Apr 3 16:29:02 UTC 2017

On 3 April 2017 at 16:59, Ian Goldberg <iang at cs.uwaterloo.ca> wrote:

> How about this, though: I know that Tor doesn't want to be in the business
> > of site reputation, but what if (eg) Protonmail offers a Onion "Safe
> > Browsing" extension some day, of known-bad Onions for malware reasons?

> That's a quite good motivating example, thanks!

#Yay; I'm also thinking of other plugins (in the cleartext world,
HTTPSEverywhere is the best example) which provide value to the user by
mechanically mutating URIs which match some canonical DNS domain name;
because Onion addresses are more like Layer-2 addresses*, development of
similar plugins benefits greatly from enforced "canonicality" (sp?) than is
necessary for equally-functional DNS equivalents; there is no means to
"group" three disparate Onion addresses together just-because they are all
owned by (say: Facebook), and if each address has 8 possible
representations then that's 24 rules to match against...

> There's quite a gulf between stripping hyphens from a candidate onion
> > address and doing strcmp(), versus either drilling into the candidate
> > address to compute the alternative forms to check against the blacklist,
> or
> > even requiring the blacklist to be 8x larger?
> Yes, that's true.  I'm definitely in favour of the "multiply by L (the
> order of the group) and check that you get the identity element; error
> with 'malformed address' if you don't" to get rid of the torsion point
> problem.

I heard that and AMS and it sounds a fabulous idea, although I am still too
much of an EC noob to appreciate it fully. :-)

If the daily descriptor uploaded to the point
> Hash(onionaddr, dailyrand) contained Hash(onionaddr, dailyrand) *in* it
> (and is signed by the master onion privkey, of course), then tor
> could/should check that it reached that location through the "right"
> onion address.

That sounds great, and I think it sounds an appropriate response, but again
I am a Prop224 and EC noob. :-)

I would like, for two paragraph, to go entirely off-piste and ask a
possibly irrelevant and probably wrong-headed question:

I view Onions as Layer-2 addresses, and one popular attack on Ethernet
Layer 2 is ARP-spoofing.  Imagine $STATE_ACTOR exfiltrates the private key
material from $ONIONSITE and wants to silently and partially MITM the
existing site without wholesale owning or tampering with it. Can they make
any benefit from multiple ("hardware MAC-address") keys colliding to one
address? Is there any greater benefit to $STATE_ACTOR from this than (say)
publishing lots of fake/extra introduction points for $ONIONSITE and using
those to interpose themselves into communications?

I'm afraid the details of what's in that daily descriptor are not in my
> brain at the moment.  Does it contain its own (daily blinded) name under
> the signature?

<punt/>  George?


* Layer-2 analogy: https://twitter.com/AlecMuffett/status/802161730591793152

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170403/11414a8e/attachment.html>

More information about the tor-dev mailing list