Tom Ritter:
On 28 May 2013 16:33, Mike Perry mikeperry@torproject.org wrote:
Additionally, as far as I can see, if you can control the introduction points using the attack from the first part of the paper, you could also perform this attack against a *user* as well (which is the threat model strongbox really tries to address). A captured Introduction Point could repeatedly fail circuits, forcing the user to reconnect on new ones until their Guard node is discovered.
I misspoke above. While it might be possible to capture the Introduction Point using some other attack, the more direct route to attack clients is to use the /HSDir/ nodes you control from the paper's methods, and fail client circuits who are asking for the HSdesc you're interested in.
In that case, it would take about an hour to locate the Guard nodes of persistent clients, and then you would have to coerce the Guard nodes into surveilling further (or just giving you their identity key, so you can MITM their TLS connections remotely without their further assistance or knowledge).
Still, less practical than attacking the service side unless you have a client that continues to connect to the target service for long enough for you to find the Guard, compromise it, and then watch their traffic.
Of course, most users will probably give up trying to use the service long before the hour is up, but if the attack could be optimized in any other way, it could mean trouble..
They won't give up if they are irssi trying to reconnect to a server. Or a VPN trying to auto-reconnect. Or any manner of non-human auto-retrying applications talking to a Hidden Service.
Absolutely correct. Hopefully Strongbox doesn't keep retrying for you in the background or anything like that.