[tor-talk] A way to reduce service impersonation

[Mirimir]

On 10/25/2016 04:57 AM, arrase wrote:
> I would like to explain this more in deep from the point of view of the
> final user, the one who wants to know about the identity behind a mirror of
> a service.
> 
> The client has an extension installed in the browser.
> The client go into a domain for first time
> The client decided than that service is good for him and he would like to
> know in the future if a mirror of the service is from the same author
> The extension notes the client about that site is running hidden service
> verification
> The client accepts the data offered from the service to identify mirrors in
> the future , just clicking on extension icon
> Next time the client go into a service who claims to be a mirror of the
> original one the extension uses the stored info to advice the client if is
> realy true or if it is scam

That makes sense. Some onions post GnuPG keys. But verification is
generally a manual process.

> 2016-10-25 1:58 GMT+02:00 arrase <arrase at gmail.com>:
> 
>> Hi list,
>>
>> This is my first post
>>
>> What do you think about that?, can be good or is a waste of time?
>>
>> ""
>> - The problem:
>>
>> Many sites at TOR network have multiple mirrors for support their user
>> load.
>>
>> When connecting to one of these mirror sites we can have the following
>> question:
>>
>> Is this the right place or is a service impersonation?
>>
>> - My proposal:
>>
>> The client who wants to verify if a service is fake or real can download
>> the PGP key of the service and send a challenge to a port of the service.
>>
>> The challenge is a simple string defined by the client and the server must
>> respond with the same string with a valid GPG signature to identify himself
>>
>> ""
>> Some code (work in progress):
>>
>> https://github.com/arrase/TOR-Hidden-Service-Verification
>>