Onion service should have a random prefix · guardianproject/haven#47

(3 评论) (0 反应) (0 负责人)Java (6,509 star) (747 fork)batch import

enhancementhelp wantedlow-priority

描述

Until next gen onion services are live, the actual onion addresses aren't private from HSDir nodes. So it's possible that Haven onion services could get discovered by an attacker, giving them access to all of the evidence logs.

The easiest way to thwart this is to generate a random string and prefix all the URLs with it. So instead of starting with just http://blahblahblah.onion:8080/, the URLs should start with http://blahblahblah.onion:8080/randomstring/. This way, if an attacker discovered the onion service, they won't be able to view the logs without guessing the value of randomstring -- which is essentially a random password. This is how OnionShare URLs works.

贡献者指南

技术栈: javaandroid
领域: security
议题类型: feature
难度: 3
预计时间: half day
活动状态: stale
清晰度: clear
前置要求: Android development basicsUnderstanding of Tor onion services
新手友好度: 45
研究方向: First, scan the codebase for how the onion URL is generated and used. Check for any existing URL prefix or path handling. Likely files include activities or services that construct HTTP URLs. Also investigate the Tor service setup in the app. The issue is similar to OnionShare's approach; reviewing their implementation may provide guidance. No linked PRs or recent comments to draw from.