[tor-talk] Hiden service and session integrity

Andreas Krey a.krey at gmx.de
Mon Nov 17 18:19:07 UTC 2014


On Mon, 17 Nov 2014 18:22:00 +0000, NTPT wrote:
...
> web application "foo" use a classical session to maitain state of the user. 
> Classically user BAR have  IP address and cookie is assigned in the login 
> process. If the right cookie from the right ip address comes for user BAR, 
> server accepts future request
> 
> But how it can work thru TOR ?

Your server always sees requests from 127.0.0.1 and everything works. ;-)
(The server only ever sees the addresse from where the hidden service
node is; obviously it can't see the actual client IP.)

> what about scenario that an attacker 
> determine my exit point and somehow stole my authentication cookie and then 

The model of using the IP address (among others) to distinguish users is
broken anyway - mobile users may change addresses occasionally, and
the other way round multiple users (esp. mobile again) can appear
from the same address thanks to the marvels of NAT.

> he can use .exit pseudodomain to route his traffic thru the same exit point 
>  (ie gain same ip address as a legitimate client ) ? 

You were talking about hidden services in the subject; what you discuss
here is your regular web service being accessed via tor. If we're
talking about the latter you should (as always) offer the service
on https, not http, and the question of stealing the login cookie
becomes academic.

If you're not using https, you're simply careless towards any user
of your service as the cookie is transferred in plaintext - any
open WLAN allows to sniff, as well as any rogue exit node operator
can intercept any login cookie that passes its node in HTTP.

If you're actually offering a hidden service the traffic is
encrypted end-to-end even for plain http: URLs.

> And is it possible (and how ? ) to run end to end encrypted (ssl) web 
> traffic via tor network ?

By enterin https://someurl in the tor browser. I'm sure there
is a pretty picture somewhere but I don't know it.

Andreas

-- 
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800


More information about the tor-talk mailing list