[tor-bugs] #14917 [Tor]: Client's choice of rend point can leak info about hidden service's guard relay

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Apr 20 17:09:41 UTC 2015


#14917: Client's choice of rend point can leak info about hidden service's guard
relay
-------------------------+-------------------------------------------------
     Reporter:  arma     |      Owner:
         Type:  defect   |     Status:  assigned
     Priority:  normal   |  Milestone:  Tor: 0.2.7.x-final
    Component:  Tor      |    Version:  Tor: 0.2.7
   Resolution:           |   Keywords:  SponsorR, tor-hs, 027-triaged-1-in,
Actual Points:           |  SponsorU
       Points:  medium   |  Parent ID:
-------------------------+-------------------------------------------------

Comment (by dgoulet):

 I thought of this last week and decided to try it. I hacked my tor client
 to always use a specific RP node and set that node as `EntryNode` for an
 HS I control. One single circuit and the client received a failure thus
 confirming the attack. There are ~3000 guards right now in the network,
 testing them all takes few minutes thus the guard discovery is serious (of
 course considering EntryNode being used).

 I don't think by passing `EntryNodes` if defined is a good idea here.
 Apart from doing things in the background that the user explicitly asked
 not to do (bad), a far fetched example is that if the operator decided to
 firewall all nodes except the entry one and then Tor tries to connect to
 it and fails, well the attack is still usable. What I mean by this is that
 there are maybe external variables on why an operator sets EntryNodes thus
 we should respect it.

 Accepting `GuardA -> Middle1 -> Middle2 -> GuardA` for rendezvous circuit
 seems to me the straight fix for a situation that is not really good right
 now.

 We could go as far as denying the use of `EntryNodes` for an HS because of
 this serious security issue but that sounds maybe a bit too much.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14917#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list