Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A couple questions.

1. Are users of .onion services protected from the server just as well as the hidden service is protected?

2. What reassurances are there that tormail is not a honeypot?



>1. Are users of .onion services protected from the server just as well as the hidden service is protected?

An .onion server, AFAIK, might have the IP of the end point your traffic ended up going through to reach the .onion server, but not of the point of origin.

The vulnerability with Tor, as a user, comes from folks operating the Tor nodes. Adrian Lamo, the guy that sold out Bradley Manning, was running Tor nodes at one points (that's not how he got wind of Manning, but my guess is he wasn't running the Tor nodes for altruistic reasons).


> An .onion server, AFAIK, might have the IP of the end point your traffic ended up going through to reach the .onion server, but not of the point of origin.

Correct. All any tor node gets with any traffic is the immediate node that it came from, and the immediate node that it is going to - only one hop in each direction.

If you get a packet from node C, to give to node E, that packet will be encrypted so that only E can decrypt it. They then "unwrap it" (like pass the parcel, or an onion) to reveal its next destination, F - and this unwrapped one is encrypted so that only F can read it.

(note: precise technical details almost certainly incorrect, but the principle is accurate)


> 2. What reassurances are there that tormail is not a honeypot?

None, which is why you should always use PGP. The advantage of tormail is they provide a free onion interface to email.


1) yes, in fact more so, because they rely upon no fixed keys

2) there is zero reassurance, there is also zero reassurance gmail isnt sending all your mail to the NSA, etc. TOR helps you ensure you can keep you tormail and your clearnet identities as separate as possible, alternatively, run your own service.


As stated in a comment above, using PGP/GPG could help. If those emails are encrypted, that adds an extra layer of security around the contents of those emails.

(Of course, that rests on the security of prime-number encryption, which may not be the best assumption when dealing with the NSA, but that's another discussion.)


2. You can't ever know for sure but doesn't necessarily matter. The point of tor is NOT to keep your activities secret (for example, your exit node would be able to read any plaintext traffic you send, such as regular HTTP, or IRC, and also know your patterns of access - which IPs, how much data, etc) - it is to disconnect the ownership of those activities from your "real life" identity.

Assume anyone can read those emails you're sending on Tor, and act accordingly (i.e. no information that could identify you).


1. In the sense the server does not know the user's IP address so far as I know, yes.

2. No idea.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: