[tor-talk] Facebook brute forcing hidden services
Mike Cardwell
tor at lists.grepular.com
Fri Oct 31 13:02:34 UTC 2014
* on the Fri, Oct 31, 2014 at 08:54:27AM -0400, Roger Dingledine wrote:
>> https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237
>>
>> So Facebook have managed to brute force a hidden service key for:
>>
>> http://facebookcorewwwi.onion/
>>
>> If they have the resources to do that, what's to stop them brute
>> forcing a key for any other existing hidden service?
>
> I talked to them about this. The short answer is that they did the vanity
> name thing for the first half of it ("facebook"), which is only 40 bits
> so it's possible to generate keys over and over until you get some keys
> whose first 40 bits of the hash match the string you want.
Getting one ending "corewwwi" seems incredibly lucky to me. Did they tell
you how many keys they generated starting with "facebook" and how long it
took them?
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20141031/7bcb2105/attachment.sig>
More information about the tor-talk
mailing list