[tor-talk] Hiden service and session integrity
NTPT at seznam.cz
Mon Nov 17 17:22:00 UTC 2014
I am new to TOR and I investigate the possibility of gidden services and i
can not find an answer in the docs.
web application "foo" use a classical session to maitain state of the user.
Classically user BAR have IP address and cookie is assigned in the login
process. If the right cookie from the right ip address comes for user BAR,
server accepts future request
But how it can work thru TOR ? what about scenario that an attacker
determine my exit point and somehow stole my authentication cookie and then
he can use .exit pseudodomain to route his traffic thru the same exit point
(ie gain same ip address as a legitimate client ) ?
And is it possible (and how ? ) to run end to end encrypted (ssl) web
traffic via tor network ?
Thanx for explanation.
More information about the tor-talk