[tor-dev] Hash Visualizations to Protect Against Onion Phishing
Ian Goldberg
iang at cs.uwaterloo.ca
Thu Aug 20 15:00:51 UTC 2015
On Thu, Aug 20, 2015 at 02:41:51PM +0000, Yawning Angel wrote:
> What would be useful here is the number of onion addresses an average
> user visits. If it's small, something like this would probably be
> sufficient:
>
> 0. Browser generates/stores a long term salt.
>
> 1. On onion access, calculate SHAKE(salt | onion address) map that to
> a poker hand (5 card draw).
>
> P(52,5) = 311,875,200
> C(52,5) = 2,598,960
>
> 2. Goto 1.
The per-browser salt is a good way to prevent similar-hash attacks, but
of course will go astray if the user reinstalls her Tor Browser or has
multiple devices.
I'd caution about the poker hand, though. One year when I taught
first-year undergraduate CS, we included an assignment that had to do
with decks of cards and card games. A surprising number of people had
never seen decks of cards before, and were unfamiliar with the concept.
I did not observe whether the (un)familiarity was correlated with what
part of the world they came from.
Perhaps a notification "You've never visited this site before" that
pushes down from the top like some other notifications might go a long
way?
More information about the tor-dev
mailing list