Changes between Version 18 and Version 19 of doc/HiddenServiceNames


Ignore:
Timestamp:
Apr 28, 2013, 9:38:16 PM (6 years ago)
Author:
cypherpunks
Comment:

linked Scallion, a GPU onion bruteforcer

Legend:

Unmodified
Added
Removed
Modified
  • doc/HiddenServiceNames

    v18 v19  
    2323Names can be mimicked as described in Plasmoid's [http://www.thc.org/papers/ffp.html Fuzzy Fingerprints]. Here is how it works: many people cannot remember the whole .onion hash, nor did they write it down somewhere. Therefore they only check the first and last couple of characters and then assume it is alright.
    2424
    25 This issue has been first exploited for SSH fingerprints but can be adopted to Tor hidden services easily. E.g. the first seven characters of a specific .onion name can be computed within a day on a standard PC using programs like [https://github.com/katmagic/Shallot Shallot]. Imagine an attacker creates a .onion name that looks similar to the .onion of a different Hidden Service and replaces its hyperlink on the Hidden Wiki. How long would it take until someone would recognize?
     25This issue has been first exploited for SSH fingerprints but can be adopted to Tor hidden services easily. E.g. the first seven characters of a specific .onion name can be computed within a day on a standard PC using programs like [https://github.com/katmagic/Shallot Shallot] or [https://github.com/lachesis/scallion Scallion]. Imagine an attacker creates a .onion name that looks similar to the .onion of a different Hidden Service and replaces its hyperlink on the Hidden Wiki. How long would it take until someone would recognize?
    2626
    2727These days most people know that it is important to check the correctness of SSH or GPG fingerprints, but there is not much awareness for .onion names yet. As a counter-measure you should bookmark hidden services that need to be trusted instead of just following hyperlinks everyone can edit.