Opened 4 years ago

Closed 13 months ago

#17110 closed task (fixed)

Hardening security - HidServAuth

Reported by: ikurua22 Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs hs-ng
Cc: arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor: SponsorR-can


I've detected someone bruteforce my HiddenServiceAuthrozeClient key
and using it to access my HiddenService.
Client computers are NOT compromised.

HidServAuth can be compromise by brute force, because it's length is
just 16.
Please make it extremely longer, for example, 4096bit.
Or add ".crt/.pem" authorization method.

Child Tickets

Change History (3)

comment:1 Changed 4 years ago by yawning

Keywords: tor-hs added
Priority: majornormal
Version: Tor: unspecified

Prop. 224 "Next-Generation Hidden Services in Tor" has Ed25519 signature based client authentication (3.4.2) during the Intro phase that meets these requirements, and would be the logical place/timeframe to improve the current situation.

comment:2 Changed 3 years ago by nickm

Keywords: hs-ng added
Severity: Normal
Sponsor: SponsorR-can

comment:3 Changed 13 months ago by teor

Resolution: fixed
Status: newclosed

We've merged HSv3 client authentication, so this ticket can close.

Note: See TracTickets for help on using tickets.