[tor-talk] Suggestion: make _hidden services_ choose randomentry nodes often!

Sebastian Hahn mail at sebastianhahn.net
Sat Oct 22 12:50:15 UTC 2011 

On Oct 22, 2011, at 2:03 PM, hikki at Safe-mail.net wrote:

> -------- Original Message --------
> From: Sebastian Hahn <mail at sebastianhahn.net>
> Apparently from: tor-talk-bounces at lists.torproject.org
> To: tor-talk at lists.torproject.org
> Subject: Re: [tor-talk] Suggestion: make _hidden services_ choose randomentry nodes often!
> Date: Fri, 21 Oct 2011 14:54:29 +0200
> 
>> Unfortunately, you got it all wrong. There's a trivial attack against any
>> hidden service that doesn't use entry guards: Make a lot of connections
>> to it, while running at least one relay. Then do some timing analysis to
>> see when your connection to the hidden service coincides with a
>> connection to the node that you control, and write down the IP address
>> of the person making the connection, and you have de-anonymized
>> the hidden service.
>> 
>> If you have 200 bad entry nodes under your control, that attack will
>> work very quickly and reliably, whereas there's still a good chance
>> that you need to keep those nodes running for a few months for the
>> hidden service to pick one of those nodes as guard.
> 
> No, I didn't mean that the HS should choose random nodes. I meant that a 
> HS should use _guards_ only, but switch between all available _guards_ 
> randomly and often, so you don't stick to a (bad) guard long enough for 
> the operator to make any traffic analysis.
> 
> If your HS connects to a (bad) guard, but stays there for only 5-10 min 
> before jumping to another random guard, the guard operators will have 
> very little to no time to investigate the clients and then do traffic 
> analysis.

This assumption is wrong. Just making a single connection is enough
for timing analysis, and that means if you ever choose a bad node -
whether that's a guard node or not - you've already lost.

> To me this is simple math and logics, and if this is less secure than 
> choosing 3 static guards for HS usage, please explain why.

I hope the above made it clearer?

More information about the tor-talk mailing list