Chris Marusich writes: > I know what you mean, but I think having TOR listen on localhost is > safer than having a Guile REPL listen on localhost. In the case of > Guile, the risk is arbitrary code execution. In the case of TOR, I > suppose the risks might be that an attacker would be able to make > requests over TOR from your machine. Perhaps by making such requests, > they might also be able to infer that you are using TOR (although it's > already possible to determine that a person is using TOR simply by > watching their IP traffic). In any case, since TOR is functioning as a > proxy, not a Turing-complete programming language, the things an > attacker could do or learn by making requests from your machine to the > localhost TOR seem limited. Compared to the risk of arbitrary code > execution, it seems much safer to me.
What about sending messages to a specific .onion address to unmask you? If you send a unique request to http://foobarbaz.onion/?id=50108560 (or ip=...) you might be able to associate a specific address. It may be that this is not as easily possible since I suspect Tor is not as susceptable to a line-oriented attack, so maybe it's not a concern... I dunno.
