[I_Byte]

The depreciation of v2 addresses is the best course of action in this case. v2 addresses consist of the first 80 bits of the SHA-1 hash of the hidden services 1024 bit public RSA key. This sentence alone is enough to make any cryptographer cringe, it is really bad! (SHA-1 has been shown to be broken and it is suspected that 1024 bit RSA can be cracked by any determined well funded state actor)

Also, Tor Project has had v2 address depreciation on it's roadmap for 2 years now, they have given hidden service operators plenty of time to prime their community for the v2 --> v3 switch. This gradual change is way better than scrambling to depreciate v2 addresses in response to some state actor publicly breaking the RSA keys of v2 hidden services.

> I thought I owned my tor domain

You may now, but if v2 is kept around soon you won't be the only one with the domains private key.

[brokenmachine]

> v2 addresses consist of the first 80 bits of the SHA-1 hash of the hidden services 1024 bit public RSA key.

What is the danger of exposing the hash of the services public key? Public keys are public anyway.

[laverya]

It's not the fact that the hash of the public key is exposed, it's the fact that

1. so little of the hash is exposed (only 80 bits of 160 for sha1), making it easier to find a collision

2. the hash is so weak (sha1 is widely considered broken), making it easier to find a collision

3. the underlying public key is so small, making it easier to derive the private key from the public key

IIRC if you find a collision you can use that to take over / contest an onion address, and obviously reversing the public key into a private key gives you as much control over an onion address as the original creator.

[bawolff]

For 2) my understanding is that the security issues in sha1 are not relavent to finding preimages, which if im not mistaken is what you would need to take over an onion address. But maybe im mistaken.