On 12/11/19 4:31 PM, procmem@riseup.net wrote:
Hi I was wondering what the mathematical probability of guessing an onion v3 address that is kept secret.
Or asked differently: what is the entropy of v3 addresses if an adversary decides to bruteforce the entire keyspace?
I am struggling to come up with a usecase for authenticated v3 services when keeping an address secret has the same effect and one can generate multiple addresses for the same server and share them with different entities. The degraded usability of v3 auth services compared to v2 is the reason I'm asking.
An additional thought for the less-technical side of things:
Using client auth, you *could* advertise the address(es) publicly. Put them in a pastebin you trust to not delete your pastes. Make a Reddit post listing them all. Whatever makes it easy for you to "bookmark" your v3 onion addresses without actually using the bookmark functionality of Tor Browser. So what if people know v3xyz.onion exists; they can't connect to it!
I'll admit it's a rather weak use-case: if you can remember/save the client auth credentials, you could remember/save the address itself too.
Matt