On 9 Dec 2017, at 03:35, x9p tor@x9p.org wrote:
Hidden Service operators, and private guards operators protecting yours Hidden Services, if you believe it is better safe than sorry, I strongly advise on blocking the above IP addresses in your firewall, while they are not pulled out of the network.
There's no evidence these guards are malicious. They might just be run by an operator who doesn't know to set ContactInfo and MyFamily. (And MyFamily is irrelevant for relays in a /16, anyway.)
We are working on vanguards in 0.3.3 to address onion service guard discovery issues like this. That way, we change the entire network so onion services are safer. Changing just a few makes them stick out.
By "private guards" do you mean "bridges"? That would be a very bad idea: it would make the bridge and its onion services stand out within minutes or hours on the network, because each circuit gets a different middle node, and the nodes would not be evenly distributed.
If you block a guards on an onion service, it will look different, but that might be unnoticeable for a few months. (More precisely, it's safe in proportion the guard rotation period, divided by the number of related onion services blocking those guards, divided by the consensus weight fraction of blocked guards. We don't expect that people will do this calculation themselves, which is why we say "don't do that".)
But we really don't recommend people block guards or set EntryNodes on an onion service. It's quite risky long-term.
T