* on the Sat, Mar 31, 2007 at 05:49:53PM +0100, Mike Cardwell wrote: > That's exactly the way I should have described the issue in my original > post. I didn't think I'd need to spell it out in so much detail. :) > > If you assume that everyone that has set up a hidden service has done > the google test as described in the documentation and hasn't then > changed the onion address afterwards. Also assume that google logs the > Host header, eg using apache common+host format and that they archive > the logs. This gives google the ability to grep for an onion address and > get the real ip of the hidden service if they're ever "asked" for it.
Further to this, there is still a problem even if you *do* change the onion address after doing the test. The fact that google can see that someone was testing setting up a hidden tor service from a particular IP on a particular date is often going to be enough info to expose the *probable* real location of a hidden service. Mike
