The best way to run a hidden service: one or two computers?

coderman coderman at gmail.com
Mon Sep 27 04:16:12 UTC 2010


On Sat, Sep 25, 2010 at 5:04 PM, Mike Perry <mikeperry at fscked.org> wrote:
> ...
>> however, if an attacker has access to read this locally they've
>> already compromised you to a degree that random mac affords no
>> protection...
>
> Is this really true?

yup.  for the very few situations it is not true, you've designed a
virtual network and client environment with this class of information
leakage covered (read: you know what you're doing and what you're
defending against :)


> One of the things I've wondered about here is
> plugins, but since Torbutton disables them for other reasons I haven't
> really looked into it.

yes. this is one reason why Torbutton is great regardless of other
protections. the list of plug-ins exposing dangerous interfaces /
attack surface is about as long as the list of plug-ins for FFox,

Chrome only has a prayer as live browser instance (which it does well
by the way!).

IE, Opera, Safari, most are hopeless.



> For insance, I know Java can create a socket,
> and query the interface properties of that socket to get the interface
> IP. Why not mac address?

yup, and/or upstream router details sufficient to geo locate you,
expose public IP endpoint, etc. (like the "how i met your girlfriend"
attacks, many others...)


> And if not java, can one of flash,
> silverlight, pdf-javascript, or others do this?

yes.


> Already we have
> location features built in to the browser based on nearby Wifi MACs...

yes. :)


> The Java trick to get the interface IP does not require special privs,
> so a randomized MAC would in fact help this scenario, if it were
> somehow possible.

yes. :P
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list