[tor-talk] Facebook brute forcing hidden services
David Rajchenbach-Teller
dteller at mozilla.com
Fri Oct 31 12:53:21 UTC 2014
Got it. What's the behavior when two services have the same .onion address?
On 31/10/14 13:50, Mike Cardwell wrote:
> You don't get to pick the ".onion" address. It is derived from the key
> you randomly generated.
>
> However, you can just keep generating keys over and over again until
> you get one that matches what you want. People have been doing this
> to choose their own prefixes for a while now, but this is the first
> time I've seen somebody generate a full string of their own choosing.
>
> If facebook can do that, then so can GCHQ and NSA. And if they can
> do that, they can brute force a key which matches the .onion address
> of any existing hidden service. So they can then MITM hidden services.
>
> I don't think I'm being dramatic when I say this proves that Tor
> hidden services are now completely broken. I'd like somebody to
> show me that I'm wrong for some reason though...
>
>
>
--
David Rajchenbach-Teller, PhD
Performance Team, Mozilla
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20141031/57811eea/attachment.sig>
More information about the tor-talk
mailing list