From abc8ba8820caaefbf2c3c191a577bc59b786be2b Mon Sep 17 00:00:00 2001
From: midas <midas@mullsec>
Date: Sat, 8 Mar 2025 12:05:50 +0100
Subject: [PATCH] add tor client auth gen explanation

---
 opsec/anonymous_server_monitoring/index.html | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/opsec/anonymous_server_monitoring/index.html b/opsec/anonymous_server_monitoring/index.html
index b96ab2c..c92ff5e 100644
--- a/opsec/anonymous_server_monitoring/index.html
+++ b/opsec/anonymous_server_monitoring/index.html
@@ -260,6 +260,22 @@ cat /var/lib/tor/onion/prometheus/hostname
 [clientaddr].onion
 </code></pre>
 
+What's that tor-client-auth-gen you ask? In order to protect this critical service from attacks that could be done against the grafana servers or from stolen credentials we need more than just security by obscurity
+(relying on the attacker not knowing our hidden service address).
+
+<br>
+When a client tries to connect to an onion service they request a server descriptor from a tor directory server that gives them a path to a rendez-vous point where they will be able to talk to each other. The keys we just created will be used to encrypt this descriptor. Without the proper private key, even with the onion service address, an attacker won't be able to connect to it because they won't be able to find the rendez-vous point.
+<br>
+<br>
+This is better than basic-auth for the following reasons:
+<ul>
+    <li>More resistant to bruteforce attacks</li>
+    <li>Also protects against flaws in your application itself</li>
+    <li>Also protects you from fingerprinting attacks as no trafic can reach you without the required secret key</li>
+</ul>
+<br>
+<br>
+
 <h3>On the central monitoring server</h3>