

Onionshare – Securely share a file of any size using Tor - sinak
https://github.com/micahflee/onionshare

======
liotier
If you are going to run a hidden service, be aware that running a Tor router
and a hidden service on the same host - doing so may expose the location of
the hidden service: [http://cybermashup.com/2013/09/04/dont-run-a-tor-router-
and-...](http://cybermashup.com/2013/09/04/dont-run-a-tor-router-and-a-hidden-
service-from-the-same-connection/)

------
civilian
Not super relevant, but I love Flask. It's so nice to quick simple webapp for
small applications like this. I love Django too, but
[https://github.com/micahflee/onionshare/blob/master/onionsha...](https://github.com/micahflee/onionshare/blob/master/onionshare.py)
would be at least be half a dozen files in Django.

~~~
eric_bullington
I'm kind of getting back in to Flask after a flirtation with Go. I think I'll
continue to use Go for APIs but for quick web apps there's nothing like Flask,
and it's getting pretty decent performance now with PyPy (and PyPy with Gevent
now!).

I've actually been working today polishing up a skeleton app I use for my
Flask apps for other devs to use -- still rewriting but I'll throw this out
there since it's already pretty usable for small-to-midsized projects (MIT
license):

[https://github.com/esbullington/flask-
bootstrap](https://github.com/esbullington/flask-bootstrap)

~~~
odonnellryan
Just curious, why do you do your URL routing that way?

[https://github.com/esbullington/flask-
bootstrap/blob/master/...](https://github.com/esbullington/flask-
bootstrap/blob/master/app/__init__.py#L47)

~~~
eric_bullington
Well, I think that as your app grows, it's not a bad idea to keep routing
separate from the controllers. I may even put them into their own file as I
extend this project to support blueprints.

------
zaroth
Really....? I guess an NSA honeypot would be more subtle, but seriously I
don't know whether to be sad or angry;

    
    
      def check_auth(username, password):
        global auth_username, auth_password
        return username == auth_username and password == auth_password

~~~
codys
What is being complained about here?

The obvious thing that stands out to me is potential timing attacks: 'and'
doing short circuit eval, and '==' exiting early when the first byte is non-
equal (or the lengths are non-equal).

~~~
micahflee
I have doubts that a timing attack would even be exploitable here since it's a
hidden service, but I just made the string comparison constant-time to be
safe:
[https://github.com/micahflee/onionshare/issues/3](https://github.com/micahflee/onionshare/issues/3)

Keep in mind that the username/password are just hex-encoded 128 bits from
/dev/urandom, so they're not guessable at all without some sort of leakage
attack, like a timing attack. And if anyone attempts to do a timing attack the
person hosting the file will see all the requests scrolling down their
terminal in real-time and can always hit ctrl-c.

There's also the bit about knowing the hidden service .onion to attack in the
first place, which wouldn't be trivial to discover, especially since I
envision these to mostly be very short-lived.

But all that said, this is great feedback. Keep it coming and feel free to
open security issues on github.

~~~
harshreality
What is the semantic difference between username and password? If they're both
randomly generated for a particular resource, why not combine them into one
access key field?

------
akerl_
Previous thread on the article published for this project:
[https://news.ycombinator.com/item?id=7780488](https://news.ycombinator.com/item?id=7780488)

