undefined | Better HN

0 points_wldu4y ago0 comments

That's sort of like having backdoor access to your internal network (similar to teredo). Others may use it to gain access to that network. If it's your home, that may be OK to you, but if it is an employer, you may want to obtain approval to do that and be sure all of your hidden services use keys or strong passwords for access.

0 comments

10 comments · 2 top-level

c0wb0yc0d3r4y ago· 6 in thread

Could you explain this a bit more? How would this be more open than port forwarding? I don't see how someone could leverage this without exploiting whatever app is hosted as the hidden service?

_wlduOP4y ago

It's a tunnel into your internal network.

If nation states and/or cyber criminals do control most of tor, then you are opening your internal network to those groups.

sweetbitter4y ago

No, because it is possible establish a token required for access to an onion service on top of the obscurity of having to actually discover the service's public address.

It is also extremely likely that said adversaries control most of Tor, considering that the main mechanisms of tracing Tor circuits do not require control over any nodes of the Tor network whatsoever- snooping on IXPs and as many autonomous systems and underwater wires as possible.

throwaway20484y ago

So is port forwarding or running any other services, tor is special in absolutely no meaningful respect here.

1 more reply

jstanley4y ago

Yes, it's exactly like port forwarding.

I_Byte4y ago

This is incorrect. A Tor hidden service is fundamentally different from port forwarding. If you don't have the hidden services onion address (v3 address) then you physically cannot make a connection to the hidden service. This is because the onion address is the hidden services public key.

You can scan the entire internet for open ports, you can't scan the Tor network for hidden services to connect to unless you already have the hidden services onion addresses.

1 more reply

ycuser24y ago

Are you sure? Don't an attacker need knowledge of the onion address, which is almost unguessable?

But with client authentification that wouldn't be a problem anyways because only chosen clients get access.

1 more reply

I_Byte4y ago· 2 in thread

This is completely incorrect. It is physically impossible to make a connection to a hidden service without the hidden services onion address (I am talking about the current v3 onion addresses, the ones that are 56 characters long). This is thanks to the fact that the onion address itself is the hidden services public key.

If you keep your onion address private then nobody can connect to your hidden service or even know that it exists. Simple as that.

jcrawfordor4y ago

It's also "physically impossible" for someone to gain access to a well configured IPSec endpoint, yet we still consider this a point of access that needs appropriate controls and security oversight. There are many, many ways that people collect key material to use to access tunnels to corporate networks. No matter how confident you might be in the technology, you should never provide an access point to a private network without full consideration of the security and compliance implications.

Perhaps the bigger issue though is that Tor at least used to be frequently used by botnets for C2, I'm not in a SOC environment any more so I'm not sure how much that trend has changed. But it's very common for corporate security programs to configure IDS to report on Tor traffic since it's associated with some sort of compromise a good percentage of the time. This does mean you get occasional false positives from normal Tor use to e.g. anonymously access public materials but that's life in a SOC. The point though is that most corporate environments ought to notice this kind of thing happening whether or not it's done with the approval of IT/security.

nonamenoslogan4y ago

Security through obfuscation isn't bad, but its certainly not infallible.

j / k navigate · click thread line to collapse

0 comments

10 comments · 2 top-level

c0wb0yc0d3r4y ago· 6 in thread

Could you explain this a bit more? How would this be more open than port forwarding? I don't see how someone could leverage this without exploiting whatever app is hosted as the hidden service?

_wlduOP4y ago

It's a tunnel into your internal network.

If nation states and/or cyber criminals do control most of tor, then you are opening your internal network to those groups.

sweetbitter4y ago

No, because it is possible establish a token required for access to an onion service on top of the obscurity of having to actually discover the service's public address.

throwaway20484y ago

So is port forwarding or running any other services, tor is special in absolutely no meaningful respect here.

1 more reply

jstanley4y ago

Yes, it's exactly like port forwarding.

I_Byte4y ago

You can scan the entire internet for open ports, you can't scan the Tor network for hidden services to connect to unless you already have the hidden services onion addresses.

1 more reply

ycuser24y ago

Are you sure? Don't an attacker need knowledge of the onion address, which is almost unguessable?

But with client authentification that wouldn't be a problem anyways because only chosen clients get access.

1 more reply

I_Byte4y ago· 2 in thread

If you keep your onion address private then nobody can connect to your hidden service or even know that it exists. Simple as that.

jcrawfordor4y ago

nonamenoslogan4y ago

Security through obfuscation isn't bad, but its certainly not infallible.

j / k navigate · click thread line to collapse