[tor-dev] Should popularity-hiding be a security property of hidden services?

Roger Dingledine arma at mit.edu
Fri Apr 3 16:53:05 UTC 2015 

On Fri, Apr 03, 2015 at 03:57:33PM +0100, George Kadianakis wrote:
>  I lean heavily
> towards the "popularity is private information and we should not
> reveal it if we can help it" camp

Hi George,

Thanks for your thoughts. I'm currently in this camp too.

>    Also, these statistics are forever: even
>   if you didn't care about a group of users in the past, but you start
>   caring about them now, you can still look back and see their
>   development over time.

To me this is one of the strongest arguments against.

>   -- Hidden services publish hidden service descriptors to 6 HSDirs.
>      This means that every day you will learn 6 noisy values for
>      your target hidden service, not just 1. It's easier to remove noise
>      that way.

I think tracking popularity by looking at reporting by HSDirs would be
quite easy. The main reason is that each day every hidden service picks
its own new set of 6 HSDirs. So even if there is noise confusing you
today, tomorrow will be a new (independent) set of noise, etc. Doing
an intersection attack on these values for your target hidden service
should work nicely over time.

>   To be honest, I have not heard convincing enough arguments that
>   would make me ditch popularity hiding. Some extra statistics or some
>   small optimizations do not seem exciting enough to me. Please try
>   harder. This could be a nice thread to demonstrate all the positive
>   things that could happen if we ditch popularity-hiding.

It would be great if everybody here could do some brainstorming on this
one. It would be a shame if we close a design door just because we weren't
open-minded enough to think of benefits (as opposed to closing the design
door because we weighed both sides and made an informed decision).

>  The dynamic introduction point formula
>   is something that we could disable by default, but also leave it as
>   a configurable option for people who want to use it. That is, it
>   will then be *the choice of the hidden service operator* whether he
>   cares about popularity being hidden or not.

Makes sense to me.

>   On the normal Internet,
>   popularity is private by default.

I wish this were more true than it is. There are all sorts of mechanisms
on the 'normal' Internet that track popularity at the large scale --
verisign and other people at the top of the dns root track requests
and publish summaries; ISPs track clicklogs and publish summaries;
and third-party vendors sucker millions of users into installing their
surveillance toolbars so they can publish summaries.

So I would understand if you said "yeah, but those aren't built-in",
but I think that line gets pretty blurry these days.

--Roger

More information about the tor-dev mailing list