[tor-dev] Notes on HS revamping

Kang td66bshwu at gmail.com
Mon Nov 11 21:22:38 UTC 2013


> AFAIK, this should also be possible with the current state of HS
> descriptor publishing.
>

It should be possible, yes, but it's not a serious problem due to the
decentralised nature of hidden service descriptor publishing.
On the other hand I'm under the impression that there's only a few
directory servers and that they're critical to the operation of the
Tor network, so this would become and issue if directories were used
instead.
You could potentially cripple the whole network.

> Till #8244 is solved, they can even accuse future HSDirs.
>

That's a good point, actually.
It would be more labour intensive to contact future HSDirs, but you
could and it would produce the same result.

> This is worth thinking about. However, even with the current
> situation, Hidden Services periodically establish circuits to their
> HSDirs, so I'm not sure if ditching the hash ring will make any
> difference.
>

It would make a difference because currently HSDirs change every 24 hours or so.
If directory authorities were used as HSDirs instead they would
(probably) be used indefinitely.


On Tue, Nov 12, 2013 at 12:11 AM, George Kadianakis
<desnacked at riseup.net> wrote:
> Kang <td66bshwu at gmail.com> writes:
>
>> Here are my thoughts regarding why merging the Hidden Service
>> directory system and regular directory system is a bad idea.
>>
>
> Thanks for your thoughts.
>
> I'm also unsure on whether ditching the hash ring system is a good
> idea, but here are some comments on your thoughts:
>
>> It would mean each directory server effectively has a list of every
>> hidden service in the network.
>> This may or may not be an issue if the descriptors are encrypted.
>>
>
> This should not be an issue when #8106 is implemented. We should only
> ditch the hash ring after #8106 gets implemented.
>
>> Additionally you could clog up the directory servers (potentially
>> causing a DoS situation) by publishing massive quantities of hidden
>> service descriptors.
>> This may already be possible with router descriptors, however, I'm not
>> sure; do directory servers store an arbitrary number of router
>> descriptors from the same IP?
>>
>
> AFAIK, this should also be possible with the current state of HS
> descriptor publishing.
>
>> Since directory servers don't tend to change they would appear
>> responsible for each hidden service, opening up the possibility of
>> lawyer attacks
>>  => "we demand you stop hosting descriptors for this criminal hidden
>> service", or "you have been aiding criminals by serving this hidden
>> service's descriptors".
>> Also, since they don't change it would be far more worthwhile for an
>> adversary to try to attack or subvert them.
>> The moving-target system that is currently in place is far stronger
>> against these types of attacks.
>>
>
> IANAL, so I can't really comment on this point.
>
> Still, it seems to me that even with the current hash ring system,
> someone can accuse HSDirs for hosting descriptors of an HS for the
> current time period. Till #8244 is solved, they can even accuse future
> HSDirs.
>
>> Lastly since the hidden service will be establishing a circuit to each
>> directory server periodically it may be possible to perform
>> statistical attacks such as a predecessor attack against it.
>> This isn't an issue with router descriptors since the onion routers
>> aren't trying to be anonymous, but it is an issue with hidden service
>> descriptors.
>>
>
> This is worth thinking about. However, even with the current
> situation, Hidden Services periodically establish circuits to their
> HSDirs, so I'm not sure if ditching the hash ring will make any
> difference.
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev


More information about the tor-dev mailing list