[messaging] Are vanity onion domains a good idea?
natanael.l at gmail.com
Fri Oct 23 14:48:48 PDT 2015
Den 23 okt 2015 23:10 skrev "Philipp Winter" <phw at nymity.ch>:
> The Tor network uses self-authenticating names for onion services, e.g.,
> 3g2upl4pq6kufc4m.onion. These onion domains are difficult to recognise
> and remember, which is one reason why some onion service providers
> started generating vanity domains. The idea is to keep generating key
> pairs until the hash's prefix contains a desirable string. Facebook got
> a pretty good one with facebookcorewwwi.onion.
> Attackers have now started to impersonate onion services by generating
> onion domains whose prefix resembles the original. An example is
> DuckDuckGo's search engine:
> Original: 3g2upl4pq6kufc4m.onion
> Impersonation: 3g2up5afx6n5miu4.onion
> Users who encounter an impersonated onion domain might mistakenly assume
> it's the original because they recognise the prefix. I worry that this
> kind of phishing attack is particularly effective against vanity onion
> domains because they might incentivise users disproportionately to only
> verify the easily recognisable prefix.
> As a result, I wonder if vanity onion domains raise more problems than
> they solve. Should onion domain generation be made deliberately slow to
> render vanity onion domains and phishing attacks impractical? Should we
> provide browser-based tools to manage onion domains instead of treating
> them like normal, memorable domains?
They're representations of public keys. Treat them like all other
representations of public keys. Don't expect the user to remember them
exactly. Use bookmarks, phishing protected authentication (U2F / UAF), be
careful with your sources.
- Sent from my tablet
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging