Hacker News new | past | comments | ask | show | jobs | submit login

I'm suspicious of anyone who seems to have trouble understanding the FBI's claims. It's clear to me that what the FBI is claiming is that some part of the CAPTCHA was linked to the server directly, rather than its TOR address.



From the article:

Even in the hypothetical case where – for some unrealistic reason – the Silk Road hidden site was including an image on an external server by referencing its IP address or hostname, the agents would still observe this traffic as having come from Tor. There is no magic way that the traffic from a real IP embedded within the HTML of a hidden service would find its way directly to a client without passing over the Tor network and through Tor nodes. Were this the case, it would be a huge vulnerability in Tor, as it would allow the administrator of a hidden site to uncover visitors by including an element that is served directly to the client over clearnet (thankfully it isn’t and this doesn’t work – try it).


I don't think they are presenting it accurately. I think what they are indicating is it was something like this:

    Login page
    ...
    $code_to_embed_captcha
    ...
I believe $code_to_embed_captcha was returning something along the lines of http://REAL_SERVER_IP/captcha.jpg instead of http://ONION_ADDRESS/captcha.jpg

This wouldn't allow you to identify users, the request for captcha.jpg is still routed through TOR. However it does reveal the true IP of the server.


This is my guess as well. That or the captcha had a query parameter like ?nonce=1234&redirect_url=$HOSTNAME/login


Yeah, except that as he said the Silk Road site was pretty heavily scrutinized and if it was that simple other people would have spotted it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: