[tor-talk] A way to reduce service impersonation

arrase arrase at gmail.com
Tue Oct 25 10:57:50 UTC 2016


I would like to explain this more in deep from the point of view of the
final user, the one who wants to know about the identity behind a mirror of
a service.

The client has an extension installed in the browser.
The client go into a domain for first time
The client decided than that service is good for him and he would like to
know in the future if a mirror of the service is from the same author
The extension notes the client about that site is running hidden service
verification
The client accepts the data offered from the service to identify mirrors in
the future , just clicking on extension icon
Next time the client go into a service who claims to be a mirror of the
original one the extension uses the stored info to advice the client if is
realy true or if it is scam

2016-10-25 1:58 GMT+02:00 arrase <arrase at gmail.com>:

> Hi list,
>
> This is my first post
>
> What do you think about that?, can be good or is a waste of time?
>
> ""
> - The problem:
>
> Many sites at TOR network have multiple mirrors for support their user
> load.
>
> When connecting to one of these mirror sites we can have the following
> question:
>
> Is this the right place or is a service impersonation?
>
> - My proposal:
>
> The client who wants to verify if a service is fake or real can download
> the PGP key of the service and send a challenge to a port of the service.
>
> The challenge is a simple string defined by the client and the server must
> respond with the same string with a valid GPG signature to identify himself
>
> ""
> Some code (work in progress):
>
> https://github.com/arrase/TOR-Hidden-Service-Verification
>


More information about the tor-talk mailing list