Potential security issue with DREAD

5 Upvotes
Dread using Daniels Hosting?
Posted 3 days ago* in /d/Dread
by localhost
3 comments

Around 3 days ago a user named /u/localhost made a thread on Dread called "Dread using Daniels Hosting?"

5 Upvotes
Dread using Daniels Hosting?
Posted 3 days ago* in /d/Dread
by localhost
[removed]
3 comments 

2 days later it was removed and I curious, so I contacted localhost to see if he or an Admin potetionally trying to censor were behind it.

But localhost did not delete his post /u/HugBunter did

https://www.pictshare.net/3qgkjxida4.png

https://www.pictshare.net/sw87uxbrlj.png

__

From localhost, a PM

"His attitude and removal of the post is worse to me than the usage of dhosting. I hate censorship. He shouldn't underestimate users ability to understand the consequences of sharing your onion private key with a unknown third-party. People should know and be able to make judgment for themselves. Whether it's temporary or not, if it's something you guys want to keep secret, then that's indication that you both know and understand that this is potentially harmful to your visitors and you don't want anyone to know to preserve your "image". Furthermore, I should take this knowledge to Reddit and let everyone know what's really going on. This "front-end" non-sense is really starting to feel fishy. You guys need to fix this or get ahead of this by making a Reddit post, before I decide to let everyone know.

I replied

and here's localhost's response again

"I don't suspect LE is involved. If it was LE, they would be able to easily afford a high end VPS to host their honeypot. Using dhosting just doesn't make sense, its just terrible fucking OPSEC. Why use an unknown third-party when he can host an onion on a $30 raspberry pi...

He said he would remove the dhosting stuff days ago but it's still in use. You should use PGP as much as possible. With dhosting in possession of the dread private key they can decrypt all of our HTTP traffic. I'm not trying to spread FUD, I genuinely have no idea what other types of attacks can be used against users when a private key has been compromised. I'm a hacker but not a tor dev or expert, so that's a little above my skill level.

I think you should bring this news to Reddit, and let a wider audience decide how dangerous this is. Here's the command anyone can use to reveal dhosting as the "front-end".

$ torsocks curl -H "Host: localhost" 'http://dreadecomdopooda.onion'

Any linux user with torsocks and curl installed will be able to verify."


Comments


[8 Points] HugBunter:

This is FUD and why it was privately addressed with localhost. The proxy server is being moved, which is why there is a temporary solution in place using Dhost to ensure the site stays up. Dhost does not have access to the private key, server files or database.


[4 Points] Getlife_:

Smells good


[3 Points] _PrinterPam_:

Allow me to ask an obvious question: So fucking what?

It's not like we're talking about a market & people's money here. It's not like the owner of a hidden service (or anyone in possession of the private key) can back-track through the Tor network and discover people's identities. As to the risk to the person running the site: That's his problem.


[1 Points] Kritone:

HugBunter can get in trouble for run dread? but why? theres nothing selling there its just a community


[1 Points] PedroElCabaloLoco:

i have a raspberry pi hugbunter do you want host your site in my raspberry? i do it free for community

/u/kritone message him pls


[1 Points] safetripp:

Novice here but if it was front end, did someone catch to which server was it making requests to?


[1 Points] DAVAgreen:

Can't even access it. Is it down?


[0 Points] None:

[deleted]