On Thu, May 12, 2016 at 9:26 AM, Roger Dingledine arma@mit.edu wrote:
It puts the relays at new risk. Right now breaking into a rendezvous point is not useful for linking users to the onion services they visit. If both sides are using short circuits, then the rendezvous point is acting as a single-hop proxy. And if we have a design where _sometimes_ the rendezvous point knows both sides, then it becomes a smart strategy to attack it, just in case this is one of those times.
Okay, That makes a lot of sense. Okay yes I support that. If a lot of users were using Tor2web and a lot of websites were on single-onion services, I totally understand how that makes the middle nodes juicier targets for intrusion. And we'd like to minimize their juiciness. So we need a way for (a) a tor2web user to detect if a domain is a single-onion service or (b) a single-onion service to detect whether someone is a tor2web user, and then put another hop in the middle.
I don't know of any way to detect (a). Maybe someone can enlighten me. For (b), tor2web requests always have a "x-tor2web: true" request header. So the single-onion service could detect that. It's possible that someone will modify their tor2web install to not have that header, but it seems sensible simply to forbid that behavior as "damaging Tor operators".
-V