[tor-talk] Dutch police break into webservers over hidden services
Roger Dingledine
arma at mit.edu
Thu Sep 1 06:24:54 PDT 2011
Several people have asked us on irc about recent news articles like
http://wireupdate.com/wires/19812/dutch-police-infiltrate-hidden-child-porn-websites-in-the-u-s/
Apparently the Dutch police exploited vulnerabilities in the webservers
reachable over the hidden services. Some people are confusing this issue
with an attack on Tor. Tor just transports bytes back and forth. If you
have an instant messaging conversation with a Tor user and convince her
to tell you her address, did you break Tor? Having an http conversation
with a webserver running over a Tor hidden service, and convincing it
to tell you its address, is not much different.
So what lessons can we learn here, other than the usual "criminals
are not as smart as your average bear"? (If only we could count on bad
people to run insecure software, and good people to secure their software
correctly, the world would be a much simpler place.) One lesson is that
there are a lot of non-Tor components that can go wrong in keeping a
hidden service hidden -- just as we have a laundry list of security
and privacy issues to consider when using Tor as a normal client (at
the bottom of https://www.torproject.org/download/download.html.en )
there's a whole other set of issues, mostly unexplored, for hidden
service operators to keep in mind:
https://www.torproject.org/docs/tor-hidden-service.html.en#three
--Roger
_______________________________________________
tor-talk mailing list
tor-talk at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list