mogulguy at yahoo.com
Tue Jun 30 20:34:45 UTC 2009
--- On Tue, 6/30/09, Freemor <freemor at gmail.com> wrote:
> > I envision an onion encrypted URL along with the exact
> > path through tor (the three hops) also onion encrypted. This
> > would be similar to the way a client normally wraps requests through
> > tor, but the wrapping would happen up front and then the wrapper
> > would become the "Obfuscated URL" which could be handed off to
> > someone else obfuscating both the path through tor and the final
> > destination to the person receiving the "Obfuscated URL".
> An interesting idea. I see two possible problems with it.
> Firstly I'm not sure storing the route is useful. Due to the nature
> of Tor some relays may not be up all the time so having them hard
> coded in the URL could be a path to failure. Also I am not sure
> there would be any security advantage (other then possibly specifying
> the exit node to keep it in a friendly jurisdiction or something ..
> but this too has it's potential problems (see next point).
Yes, I attempt to address the weak link idea in my reply
to the previous poster, however a suggestion to eliminate
this weak link is obviously desired.
In my scenario, the point of hard coding the path is to
obfuscate the final URL, how could this be done
differently? In this scenario, it requires all 3 nodes
to decrypt the final URL, one node by itself cannot,
this should provide the same protection that you get
today by surfing with tor, should it not?
> Secondly this idea seems more suited to malicious uses
> (obviscated URL to exploit site/etc) then to the more
> dissident need for anonymity. (I could be wrong. I
> welcome some examples to get me thinking in the right
I don't see why this is more open to abuse than the
general tor network, could you explain your reasoning?
As for use cases, I envision that as a simple whistle
blower or reporter, I would post my content on various
free forums in an encrypted file and publish an
obfuscated URL and password to the content. This would
be a lot simpler publishing mechanism, especially with
helper programs potentially designed for this, or by
adding the encryption directly to tor (and the
password to the obfuscated URL) thus eliminating the
need for the extra password, than setting up and
maintaining a hidden service, and perhaps safer with
respects to protecting my own anonymity.
> One of the reasons I say this is that if the
> information is not running on a hidden server
> then it will most likely be found and shutdown.
> Since anyone that could use these URLs would need
> to have TOR installed and running I'm having a
> hard time seeing the advantage to this over a .onion
> URL. (Again I welcome examples)
Again, as I mentioned to the previous poster, I
could make several URLs to the same content posted
in different places, this completely eliminates
the single point of failure which a hidden service
does not. Of course, I could setup several hidden
services, but I think that you can see how that
would be much more complex than what I am
Add the extra encryption layer mentioned in my
previous paragraph and I think that the content
could be as well, or better protected than
with a hidden service.
> Just my thoughts
Thanks for the feedback, :)
More information about the tor-talk