[tor-bugs] #14917 [Tor]: Client's choice of rend point can leak info about hidden service's guard relay

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu May 14 14:26:36 UTC 2015 

#14917: Client's choice of rend point can leak info about hidden service's guard
relay
-------------------------+-------------------------------------------------
     Reporter:  arma     |      Owner:
         Type:  defect   |     Status:  assigned
     Priority:  major    |  Milestone:  Tor: 0.2.7.x-final
    Component:  Tor      |    Version:
   Resolution:           |   Keywords:  SponsorR, tor-hs, 027-triaged-1-in,
Actual Points:           |  SponsorU
       Points:  medium   |  Parent ID:
-------------------------+-------------------------------------------------

Comment (by dgoulet):

 I'll try to summarize the above and have a pros/cons list for each
 possible solution. We assume an operator running an HS and `EntryNode` is
 set with a single entry. Please correct any wrong reasons, add any new
 ones and argue with some possible improvement.

 1) Warning at startup + do NOT fail the circuit
  * Pros:
    * Relay operator is notified iff she is looking at the logs.
    * HS will be able to pin a single guard because one guard is
 recommended.
  * Cons:
    * Attack NOT mitigated.

 2) Warning at startup + fail the circuit
  * Pros:
    * Relay operator is notified iff she is looking at the logs.
  * Cons:
    * Does not mitigate the attack at all because that's the current
 behavior without the warning. We can't exit at our entry point and we
 don't have a secondary guard.

 3) Error at startup. Tor doesn't start and we tell operator why.
  * Pros:
    * Attack is mitigated
  * Cons:
    * Confuses the operator since one single guard is what's recommended?
    * Could break some HS configuration out there raising questions and
 paranoia (maybe good?)

 4) Exit at your guard *only* for rendezvous point.
  * Pros:
    * Attack is mitigated
    * Not breaking any current configuration nor confusing operator.
  * Cons:
    * Bad for anonymity reason to exit at your entry? Could be maybe issues
 with timing?
    * Breaks tor path selection for a specific case which might be bad.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14917#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list