undefined | Better HN

0 pointsycuser24y ago0 comments

Are you sure? Don't an attacker need knowledge of the onion address, which is almost unguessable?

But with client authentification that wouldn't be a problem anyways because only chosen clients get access.

0 comments

1 comments · 1 top-level

Onion address is not unguessable, it's stored on a DHT shared by relays with the HSDir flag (which they earn after ~7 days IIRC).

I think this changed slightly with v3 addresses, so my comment might be out of date, but I think the general premise remains the same. (EDIT: Apparently with V3 addresses, there is still a DHT, but client uses key derivation so that the HSDir only stores a daily-rotated identifier known as a "blinded public key." [0])

Although your hidden service address is not hidden, you can require that any client connecting to it present a valid authorization key (I think this is also new in V3?).

Also, it obviously depends which service you're exposing — if you are exposing an SSH server that only allows key-based authentication, then it shouldn't matter if people can simply connect to it — assuming you trust the SSHD software, and your threat model doesn't depend on avoiding detection completely.

[0] https://blog.torproject.org/v3-onion-services-usage/

j / k navigate · click thread line to collapse