mirror of
http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions.git
synced 2025-07-02 06:46:42 +00:00
add tor client auth gen explanation
This commit is contained in:
parent
65a3837ecc
commit
abc8ba8820
1 changed files with 16 additions and 0 deletions
|
@ -260,6 +260,22 @@ cat /var/lib/tor/onion/prometheus/hostname
|
|||
[clientaddr].onion
|
||||
</code></pre>
|
||||
|
||||
What's that tor-client-auth-gen you ask? In order to protect this critical service from attacks that could be done against the grafana servers or from stolen credentials we need more than just security by obscurity
|
||||
(relying on the attacker not knowing our hidden service address).
|
||||
|
||||
<br>
|
||||
When a client tries to connect to an onion service they request a server descriptor from a tor directory server that gives them a path to a rendez-vous point where they will be able to talk to each other. The keys we just created will be used to encrypt this descriptor. Without the proper private key, even with the onion service address, an attacker won't be able to connect to it because they won't be able to find the rendez-vous point.
|
||||
<br>
|
||||
<br>
|
||||
This is better than basic-auth for the following reasons:
|
||||
<ul>
|
||||
<li>More resistant to bruteforce attacks</li>
|
||||
<li>Also protects against flaws in your application itself</li>
|
||||
<li>Also protects you from fingerprinting attacks as no trafic can reach you without the required secret key</li>
|
||||
</ul>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
<h3>On the central monitoring server</h3>
|
||||
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue