[tor-dev] (Draft) Proposal 224: Next-Generation Hidden Services in Tor

John Brooks john.brooks at dereferenced.net
Wed May 13 06:37:56 UTC 2015


Michael Rogers <michael at briarproject.org> wrote:
> Something like this was suggested last May, and a concern was raised
> about a malicious IP repeatedly killing the long-term circuit in order
> to cause the HS to rebuild it. If the HS were ever to rebuild the
> circuit through a malicious middle node, the adversary would learn the
> identity of the HS's guard.
> 
> I don't know whether that's a serious enough threat to outweigh the
> benefits of this idea, but I thought it should be mentioned.

Yes, good point. I’ll revise my earlier statement:

The IPs end up being no stronger as an adversary than HSDirs would have
been, with the exception that an IP also has an established long-term
circuit from the service, and can force the service to rebuild that circuit.

I think it’s not an issue here, because that same attack is available and more
effective as a client. Running it as the IP requires external knowledge for
which service is being attacked, is attributable to the relay, and can’t target a
particular service until it’s chosen as IP.

We should separately figure out a way to solve that for both cases, like
the middle hop pinning Jeff mentioned.

My next step will be to modify 224 to describe this approach, and see what
problems that exercise turns up. Unless something comes up, I think this is
worth serious debate as a replacement to the proposal.

- John


More information about the tor-dev mailing list