
Interview with a Tor developer who works on hidden services - p4bl0
https://blog.torproject.org/blog/nine-questions-about-hidden-services
======
MichaelGG
Is there added security by stacking hidden services? So a.onion is just a
reverse proxy for b.onion? Buys you a bit more time before the final server
gets popped? Or can you increase the number of Tor hops for your hidden
service to get a similar effect?

Thinking of Silk Road - was it ever proved they leaked their IP versus some
more advanced way of finding the server? (I know, it's highly likely that such
a poorly written system would have had a real IP leak, just wondering what
documented facts we have.)

~~~
at-fates-hands
The investigators claimed they found it when the login page leaked its IP. It
was one of the more contested facts of the case - some thought it was
possible, other infosec people thought it wasn't.

There are stories that say Ulbricht was notified by someone in one of the chat
rooms that the site was leaking IP addresses, but Ulbricht never fixed it,
which allowed the FBI to find the real server in Iceland.

Wired did a great two part article on the story:

[http://www.wired.com/2015/04/silk-road-1/](http://www.wired.com/2015/04/silk-
road-1/)

More articles on the leaky login page:

[http://www.wired.com/2014/09/the-fbi-finally-says-how-it-
leg...](http://www.wired.com/2014/09/the-fbi-finally-says-how-it-legally-
pinpointed-silk-roads-server/)

[http://krebsonsecurity.com/2014/09/dread-pirate-sunk-by-
leak...](http://krebsonsecurity.com/2014/09/dread-pirate-sunk-by-leaky-
captcha/)

[http://www.theregister.co.uk/2014/09/08/leaky_captcha_behind...](http://www.theregister.co.uk/2014/09/08/leaky_captcha_behind_fbis_silk_road_rapture/)

~~~
NoMoreNicksLeft
This conversation shouldn't happen without first talking about "parallel
construction".

[https://en.wikipedia.org/wiki/Parallel_construction](https://en.wikipedia.org/wiki/Parallel_construction)

We know they've tapped every fiber there is, in closets and undersea. It would
be simple to use timing attacks at that point.

Given that they had the means, and the lack of principles to use those means,
why would we believe it was anything else? We don't have to invent absurd
scenarios, nor should we believe anyone else's inventions.

------
unsignedint
> Yes, I do run onion services; I run an onion services on every box I have. I
> connect to the PC in my house from anywhere in the world through SSH—I
> connect to my onion service instead of my house IP. People can see my laptop
> accessing Tor but don’t know who I am or where I go.

Funny, I do the same thing and it saved me a few times when my router went
crazy and stopped port forwarding, but I still had access to it. (And
successfully fixed the problem without making a visit to the site...)

------
jokoon
I wonder if I2P is not becoming a little more attractive than tor.

~~~
aw3c2
Unfortunately I2P has not had nearly the same amount of research attention.

------
golergka
I think that correct definition of this article is "FAQ", not interview. The
term "interview" usually implies actual conversation.

~~~
corin_
I disagree; Interviews range from full conversations to simple questions and
answers, "FAQ" on the other hand implies many people asking the same
questions, not a single interviewer asking them.

~~~
nitrogen
Q&A might be what the OP meant?

