[tor-talk] Dutch police break into webservers over hidden services

Roger Dingledine arma at mit.edu
Thu Sep 1 13:24:54 UTC 2011

Several people have asked us on irc about recent news articles like

Apparently the Dutch police exploited vulnerabilities in the webservers
reachable over the hidden services. Some people are confusing this issue
with an attack on Tor. Tor just transports bytes back and forth. If you
have an instant messaging conversation with a Tor user and convince her
to tell you her address, did you break Tor? Having an http conversation
with a webserver running over a Tor hidden service, and convincing it
to tell you its address, is not much different.

So what lessons can we learn here, other than the usual "criminals
are not as smart as your average bear"? (If only we could count on bad
people to run insecure software, and good people to secure their software
correctly, the world would be a much simpler place.) One lesson is that
there are a lot of non-Tor components that can go wrong in keeping a
hidden service hidden -- just as we have a laundry list of security
and privacy issues to consider when using Tor as a normal client (at
the bottom of https://www.torproject.org/download/download.html.en )
there's a whole other set of issues, mostly unexplored, for hidden
service operators to keep in mind:


More information about the tor-talk mailing list