Several people have asked us on irc about recent news articles like http://wireupdate.com/wires/19812/dutch-police-infiltrate-hidden-child-porn-websites-in-the-u-s/
Apparently the Dutch police exploited vulnerabilities in the webservers reachable over the hidden services. Some people are confusing this issue with an attack on Tor. Tor just transports bytes back and forth. If you have an instant messaging conversation with a Tor user and convince her to tell you her address, did you break Tor? Having an http conversation with a webserver running over a Tor hidden service, and convincing it to tell you its address, is not much different. So what lessons can we learn here, other than the usual "criminals are not as smart as your average bear"? (If only we could count on bad people to run insecure software, and good people to secure their software correctly, the world would be a much simpler place.) One lesson is that there are a lot of non-Tor components that can go wrong in keeping a hidden service hidden -- just as we have a laundry list of security and privacy issues to consider when using Tor as a normal client (at the bottom of https://www.torproject.org/download/download.html.en ) there's a whole other set of issues, mostly unexplored, for hidden service operators to keep in mind: https://www.torproject.org/docs/tor-hidden-service.html.en#three --Roger _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
