On Sun, Aug 25, 2013 at 05:05:26PM -0400, hi...@safe-mail.net wrote: > The US feds did actually take down FH, which was a HIDDEN SERVICE! They > found it and arrested the admin! Period!
Reminds me of my response when in 2011 some Dutch police broke into a hidden service: https://lists.torproject.org/pipermail/tor-talk/2011-September/021198.html "If you have an instant messaging conversation with a Tor user and convince her to tell you her address, did you break Tor? Having an http conversation with a webserver running over a Tor hidden service, and convincing it to tell you its address, is not much different." We don't know in this case if they did it through exploiting the software running on the other end of the hidden service, or by the old "follow the money" trick, or by having an insider provide the info, or what. It could in fact have been by attacking the Tor protocol directly (see below). But I think in many cases, even with the various known weaknesses, the above "just bypass Tor and attack them in other ways" approaches are even easier. (This observation should scare you more, not less.) The fact that somebody started serving malware on the various hidden services: https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable makes me think that they got in via the software running the webserver. I mean, heck, I heard he let strangers run php scripts in his webserver. For another case of a hidden service being compromised, see https://blog.torproject.org/blog/trip-report-october-fbi-conference The summary sentence there is "Way before they switched to a Tor hidden service, the two main people used Hushmail to communicate." > If they can find hidden services, finding regular tor clients would be even > easier! This part is unfortunately (well, ok maybe fortunately, but either way) false. Hidden services are weaker than normal Tor circuits for two reasons: a) they stay in the same place over time, and b) you, the user, can choose how often they make circuits. These two properties combine to produce a variety of other problems. I described some of them briefly in the 29c3 talk this past December, but see https://blog.torproject.org/blog/hidden-services-need-some-love for many more details, including references to academic papers on the topic. --Roger -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk