[messaging] Are vanity onion domains a good idea?

Mike Hearn mike at plan99.net
Mon Oct 26 09:26:25 PDT 2015


Two simple fixes for the case of non-anonymous services:

1) Don't use onion addresses. For non-anonymous services it's just being
used as a hack around the difficulty of reliably identifying Tor
connections. Otherwise you could just tell users to browse to
tor.facebook.com and then the server would give an error page if you
weren't coming from an exit. It'd be faster too.

2) Use an EV certificate so the browser shows the true name of the service
in the address bar. Chrome will show it in green next to the address,
Safari will actually show the organisation name instead of the URL, thus
solving the issue completely.

Of course neither approach works for truly anonymous web sites. Sucks to be
them.


On Fri, Oct 23, 2015 at 11:10 PM, Philipp Winter <phw at nymity.ch> wrote:

> The Tor network uses self-authenticating names for onion services, e.g.,
> 3g2upl4pq6kufc4m.onion.  These onion domains are difficult to recognise
> and remember, which is one reason why some onion service providers
> started generating vanity domains.  The idea is to keep generating key
> pairs until the hash's prefix contains a desirable string.  Facebook got
> a pretty good one with facebookcorewwwi.onion.
>
> Attackers have now started to impersonate onion services by generating
> onion domains whose prefix resembles the original.  An example is
> DuckDuckGo's search engine:
>
> Original:      3g2upl4pq6kufc4m.onion
> Impersonation: 3g2up5afx6n5miu4.onion
>                ^^^^^
> Users who encounter an impersonated onion domain might mistakenly assume
> it's the original because they recognise the prefix.  I worry that this
> kind of phishing attack is particularly effective against vanity onion
> domains because they might incentivise users disproportionately to only
> verify the easily recognisable prefix.
>
> As a result, I wonder if vanity onion domains raise more problems than
> they solve.  Should onion domain generation be made deliberately slow to
> render vanity onion domains and phishing attacks impractical?  Should we
> provide browser-based tools to manage onion domains instead of treating
> them like normal, memorable domains?
>
> Thoughts?
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20151026/39f25bfe/attachment.html>


More information about the Messaging mailing list