[tor-talk] Wikimedia and Tor

Mirimir mirimir at riseup.net
Thu Oct 2 16:35:03 UTC 2014


On 10/02/2014 08:07 AM, Derric Atzrott wrote:
>>> I liked the GPG idea, and brought it back to Wikitech-l. I'll let
>>> you guys know if anyone there finds a way to completely break it.
> 
>> There's another possibility that's probably easier to implement and
>> test, but isn't so broadly useful as a hard-to-generate GnuPG key. In
>> creating a hidden service, the Tor client generates an RSA private_key
>> and uses the first 80 bytes of the key's SHA1 hash as the hostname.
>> Vanity hostnames being popular, there are published methods.[0]
> 
> I'm not entirely sure what you are suggesting?  Are you suggesting
> we leverage specify some portion of a SHA1 hash and require that
> the Tor clients trying to edit Wikipedia create a hidden service key
> that ends up matching that?

I'm suggesting that you require new accounts to generate a functional
GnuPG key (with normal key length etc) with a fingerprint (hash) that
begins with a random string supplied by Wikimedia. Although there are
shortcuts for creating keys with arbitrary fingerprints, they produce
keys with atypical key lengths etc. In order to produce a "normal" key
with the specified fingerprint substring, it would be necessary to
randomly generate numerous keys and select for the desired fingerprint.
Having accomplished that, the new user could edit the metadata to match
their account name and email address.

It just so happens, given the popularity of vanity Tor hidden-service
names, that there are apps that generate and select private keys in that
way. It's merely an example of the approach, which demonstrates its
feasibility. I suspect that creating a version for GnuPG keys would
require trivial modifications.

I'll ask about this on gnupg-users and report.

> Or are you suggesting that we do something involving requiring editors
> using Tor to create a hidden service with a certain hostname (are those
> hostnames called descriptors, I think they are, but I'm not 100% sure)?

No, I'm not suggesting anything about hidden services per se.

> Or something else entirely.
> 


More information about the tor-talk mailing list