[tor-dev] Notes on HS revamping

George Kadianakis desnacked at riseup.net
Mon Nov 11 13:41:31 UTC 2013 

Kang <td66bshwu at gmail.com> writes:

> Here are my thoughts regarding why merging the Hidden Service
> directory system and regular directory system is a bad idea.
>

Thanks for your thoughts.

I'm also unsure on whether ditching the hash ring system is a good
idea, but here are some comments on your thoughts:

> It would mean each directory server effectively has a list of every
> hidden service in the network.
> This may or may not be an issue if the descriptors are encrypted.
>

This should not be an issue when #8106 is implemented. We should only
ditch the hash ring after #8106 gets implemented.

> Additionally you could clog up the directory servers (potentially
> causing a DoS situation) by publishing massive quantities of hidden
> service descriptors.
> This may already be possible with router descriptors, however, I'm not
> sure; do directory servers store an arbitrary number of router
> descriptors from the same IP?
>

AFAIK, this should also be possible with the current state of HS
descriptor publishing.

> Since directory servers don't tend to change they would appear
> responsible for each hidden service, opening up the possibility of
> lawyer attacks
>  => "we demand you stop hosting descriptors for this criminal hidden
> service", or "you have been aiding criminals by serving this hidden
> service's descriptors".
> Also, since they don't change it would be far more worthwhile for an
> adversary to try to attack or subvert them.
> The moving-target system that is currently in place is far stronger
> against these types of attacks.
>

IANAL, so I can't really comment on this point.

Still, it seems to me that even with the current hash ring system,
someone can accuse HSDirs for hosting descriptors of an HS for the
current time period. Till #8244 is solved, they can even accuse future
HSDirs.

> Lastly since the hidden service will be establishing a circuit to each
> directory server periodically it may be possible to perform
> statistical attacks such as a predecessor attack against it.
> This isn't an issue with router descriptors since the onion routers
> aren't trying to be anonymous, but it is an issue with hidden service
> descriptors.
>

This is worth thinking about. However, even with the current
situation, Hidden Services periodically establish circuits to their
HSDirs, so I'm not sure if ditching the hash ring will make any
difference.

More information about the tor-dev mailing list