[tor-talk] Tor Double HiddenService w/ Server Level Intercepting Request and Content Anonymization

Manfred Ackermann yo at acki.es
Thu Oct 31 12:22:11 UTC 2013


Hi Marcos.

Just had a look on Whonix. Was new to me and I'll have a look on that,
thanks for the info on that.

> "Whonix" or "Ubuntu", blocks some unauthorized bad
> javascript injection, when visiting a compromised
> HiddenService?

I have no information that any of those two would block anything out of the
box.

> Don't you think HiddenServices are no more secure, ...

I think they are secure as the visitors set-up.

> Do you know when the number of HiddenServices will
> rise again?

I don't have a clue (or a glass sphere).

Greetings,
Manfred

2013/10/31 Marcos Eugenio Kehl <marcoskehl at hotmail.com>

> Hello folk!"Whonix" or "Ubuntu", blocks some unauthorized bad javascript
> injection, when visiting a compromised HiddenService? Don't you think
> HiddenServices are no more secure, after the cataclysm, that happend on
> August 2013? Do you know when the number of HiddenServices will rise
> again?Marcos (Brasil)
>
> > Date: Wed, 30 Oct 2013 23:39:07 +0000
> > From: yo at acki.es
> > To: tor-talk at lists.torproject.org
> > Subject: Re: [tor-talk] Tor Double HiddenService w/ Server Level
> Intercepting Request and Content Anonymization
> >
> > Hi Anthony.
> >
> > If the first-in-line server gets compromised then the users using this
> > HiddenService have to cross fingers that their privoxy or similar
> > anonymizer is well configured.
> >
> > Because the first server-in-line is the tor node handling the public
> > HiddenService declaration and the Tor network as transport network imho
> > needs to stay transparent, there is nothing I can imagine that can be
> done
> > apart of intergration of request modification into the HiddenService
> > declaration so this personal informations would never leave the Tor
> network.
> >
> > But also the actual approach should be capable of injecting a warning
> into
> > the response when personal information is found in the request.Something
> > like injecting a div-layer with a warning after the body tag when a
> > accept-language tag is found other than 'en'. Expecially when the
> installed
> > server only supports 'en' why sending anything else that changes
> nothing.Or
> > instead the response can be only a warning and no content from the
> > HiddenService. But this would force the users to setup a special
> > configuration... something I wouldn't like.
> >
> > But I think the relay isn't the primary target in first place for the
> > authorities so risk is acceptable. And if one in the chain gets
> compromised
> > the other will know. A (manual human executed) protocol of changing the
> > X-OnionRelay-Auth code for example would prevent that users get through
> to
> > the server even if the proxy will forward the request.  This would be
> well
> > paranoid but still the request leaves the Tor network unfiltered and
> > unencrypted.
> >
> > Greetings, Manfred
> > Am 30.10.2013 14:26 schrieb "Anthony Papillion" <anthony at papillion.me>:
> >
> > > On 10/29/2013 08:48 AM, Manfred Ackermann wrote:
> > > > Hi List.
> > > >
> > > > Sorry to push this up, just wondering if this approach is such stupid
> > > that
> > > > it's not even worth leaving a related comment to it ;-) Or is it
> just of
> > > no
> > > > interest?
> > > >
> > > > Any comments apriciated.
> > >
> > > Hello Manfred,
> > >
> > > Sounds like a fantastic idea. But I think I'm missing something that
> I'm
> > > hoping you can clear me up on. How does this protect the user if the
> > > first-in-line server is compromised? So the user connects to HS on
> > > computer1 which is compromised. How does your system stop them from
> > > being compromised instead of forwarded deeper into the network to
> > > computer2?
> > >
> > > Cheers,
> > > Anthony
> > >
> > >
> > > --
> > > Anthony Papillion
> > > XMPP/Jabber:      cajuntechie at jit.si
> > > OTR Fingerprint:  1515393D53BA593C19E2CD549AE59FB650F82ABC
> > > SIP:              17772471988 at callcentric.com
> > > PGP Key:          0xDC89FF2E
> > >
> > > --
> > > tor-talk mailing list - tor-talk at lists.torproject.org
> > > To unsubscribe or change other settings go to
> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > >
> > --
> > tor-talk mailing list - tor-talk at lists.torproject.org
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>


More information about the tor-talk mailing list