[tor-talk] A way to reduce service impersonation
arrase
arrase at gmail.com
Mon Oct 24 23:58:58 UTC 2016
Hi list,
This is my first post
What do you think about that?, can be good or is a waste of time?
""
- The problem:
Many sites at TOR network have multiple mirrors for support their user load.
When connecting to one of these mirror sites we can have the following
question:
Is this the right place or is a service impersonation?
- My proposal:
The client who wants to verify if a service is fake or real can download
the PGP key of the service and send a challenge to a port of the service.
The challenge is a simple string defined by the client and the server must
respond with the same string with a valid GPG signature to identify himself
""
Some code (work in progress):
https://github.com/arrase/TOR-Hidden-Service-Verification
More information about the tor-talk
mailing list