[tor-dev] Should popularity-hiding be a security property of hidden services?
Roger Dingledine
arma at mit.edu
Fri Apr 3 16:53:05 UTC 2015
On Fri, Apr 03, 2015 at 03:57:33PM +0100, George Kadianakis wrote:
> I lean heavily
> towards the "popularity is private information and we should not
> reveal it if we can help it" camp
Hi George,
Thanks for your thoughts. I'm currently in this camp too.
> Also, these statistics are forever: even
> if you didn't care about a group of users in the past, but you start
> caring about them now, you can still look back and see their
> development over time.
To me this is one of the strongest arguments against.
> -- Hidden services publish hidden service descriptors to 6 HSDirs.
> This means that every day you will learn 6 noisy values for
> your target hidden service, not just 1. It's easier to remove noise
> that way.
I think tracking popularity by looking at reporting by HSDirs would be
quite easy. The main reason is that each day every hidden service picks
its own new set of 6 HSDirs. So even if there is noise confusing you
today, tomorrow will be a new (independent) set of noise, etc. Doing
an intersection attack on these values for your target hidden service
should work nicely over time.
> To be honest, I have not heard convincing enough arguments that
> would make me ditch popularity hiding. Some extra statistics or some
> small optimizations do not seem exciting enough to me. Please try
> harder. This could be a nice thread to demonstrate all the positive
> things that could happen if we ditch popularity-hiding.
It would be great if everybody here could do some brainstorming on this
one. It would be a shame if we close a design door just because we weren't
open-minded enough to think of benefits (as opposed to closing the design
door because we weighed both sides and made an informed decision).
> The dynamic introduction point formula
> is something that we could disable by default, but also leave it as
> a configurable option for people who want to use it. That is, it
> will then be *the choice of the hidden service operator* whether he
> cares about popularity being hidden or not.
Makes sense to me.
> On the normal Internet,
> popularity is private by default.
I wish this were more true than it is. There are all sorts of mechanisms
on the 'normal' Internet that track popularity at the large scale --
verisign and other people at the top of the dns root track requests
and publish summaries; ISPs track clicklogs and publish summaries;
and third-party vendors sucker millions of users into installing their
surveillance toolbars so they can publish summaries.
So I would understand if you said "yeah, but those aren't built-in",
but I think that line gets pretty blurry these days.
--Roger
More information about the tor-dev
mailing list