diff options
| author | Micah Lee <micah@micahflee.com> | 2020-11-15 14:16:13 -0800 |
|---|---|---|
| committer | Micah Lee <micah@micahflee.com> | 2020-11-15 14:16:13 -0800 |
| commit | 9c18a9cbe9708fee7a7e005f04dced5073645e89 (patch) | |
| tree | 82327653fea45fcb14a91ab62e6f828b02367bfb /docs | |
| parent | 65320b5e87707b8a2a3a6b52ac2e13a7b62638b3 (diff) | |
| download | onionshare-9c18a9cbe9708fee7a7e005f04dced5073645e89.tar.gz onionshare-9c18a9cbe9708fee7a7e005f04dced5073645e89.zip | |
Update security design docs for 2.3
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/source/security.rst | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/docs/source/security.rst b/docs/source/security.rst index 4f85600a..eb68f5f6 100644 --- a/docs/source/security.rst +++ b/docs/source/security.rst @@ -1,4 +1,4 @@ -Security design +Security Design =============== Read :ref:`how_it_works` first to get a handle on how OnionShare works. @@ -10,15 +10,15 @@ What OnionShare protects against **Third parties don't have access to anything that happens in OnionShare.** Using OnionShare means hosting services directly on your computer. When sharing files with OnionShare, they are not uploaded to any server. If you make an OnionShare chat room, your computer acts as a server for that too. This avoids the traditional model of having to trust the computers of others. -**Network eavesdroppers can't spy on anything that happens in OnionShare in transit.** The connection between the Tor onion service and the Tor Browser is end-to-end encrypted. This means no network attackers can eavesdrop. Only Tor traffic is available to anyone at any point of the exchange. Even if eavesdropper is a malicious rendezvous node used to connect the Tor Browser with OnionShare's onion service, the traffic is encrypted using the identity private key. +**Network eavesdroppers can't spy on anything that happens in OnionShare in transit.** The connection between the Tor onion service and Tor Browser is end-to-end encrypted. This means network attackers can't eavesdrop on anything except encrypted Tor traffic. Even if an eavesdropper is a malicious rendezvous node used to connect the Tor Browser with OnionShare's onion service, the traffic is encrypted using the onion service's private key. **Anonymity of OnionShare users are protected by Tor.** OnionShare and Tor Browser protect the anonymity of the users. As long as the OnionShare user anonymously communicates the OnionShare address with the Tor Browser users, the Tor Browser users and eavesdroppers can't learn the identity of the OnionShare user. -**If an attacker learns about the onion service, it still can't access anything.** Prior attacks against the Tor network to enumerate the onion services amount to discovering the .onion address of the services on it. Accessing them is stopped by a random password (unless the OnionShare user chooses to turn it off and make it public). The password is generated by choosing two random words from a list of 6800 words, making 6800^2, or about 46 million possible passwords. Only 20 wrong guesses can be made before OnionShare stops the server, preventing brute force attacks against the password. +**If an attacker learns about the onion service, it still can't access anything.** Prior attacks against the Tor network to enumerate onion services allowed the attacker to discover private .onion addresses. If an attack discovers a private OnionShare address, a password will be prevent them from accessing it (unless the OnionShare user chooses to turn it off and make it public).. The password is generated by choosing two random words from a list of 6800 words, making 6800^2, or about 46 million possible passwords. Only 20 wrong guesses can be made before OnionShare stops the server, preventing brute force attacks against the password. What OnionShare doesn't protect against --------------------------------------- -**Communicating the OnionShare address might not be secure.** Communicating the OnionShare address to people is the responsibility of the OnionShare user. If sent insecurely (such as through an e-mail message monitored by an attacker), an eavesdropper can tell OnionShare is being used. By loading the address in Tor Browser before the legitimate recipient gets to it, the service can be accessed. If this is to be avoided, the address must be communicateed securely, via encrypted e-mail, or in person. Voice call is a better secondary option than unencrypted chat in most cases, as it is a different network to eavesdrop. This isn't necessary when using OnionShare for something that isn't secret. +**Communicating the OnionShare address might not be secure.** Communicating the OnionShare address to people is the responsibility of the OnionShare user. If sent insecurely (such as through an email message monitored by an attacker), an eavesdropper can tell that OnionShare is being used. If the eavesdropper loads the address in Tor Browser while the service is still up, they can access it. To avoid this, the address must be communicateed securely, via encrypted text message (probably with disappearing messages enabled), encrypted email, or in person. This isn't necessary when using OnionShare for something that isn't secret. -**Communicating the OnionShare address might not be anonymous.** To ensure maximum privacy, extra steps must be taken to ensure the OnionShare address is communicated securely. A new e-mail or chat account, only accessed over Tor, can be used to share the address. This isn't necessary unless anonymity is an absolute goal. +**Communicating the OnionShare address might not be anonymous.** Extra steps must be taken to ensure the OnionShare address is communicated anonymously. A new email or chat account, only accessed over Tor, can be used to share the address. This isn't necessary unless anonymity is a goal. |