[tor-dev] Hidden service policies

Ted Smith tedks at riseup.net
Mon Jul 21 17:02:15 UTC 2014 

On Mon, 2014-07-21 at 11:48 +0200, Mike Hearn wrote:
>         One of my first concerns would be that this would build in a
>         very easy
>         way for a government (probably the US government) to compel
>         Tor to add
>         in a line of code that says "If it's this hidden service key,
>         block
>         access."
> 
> 
> And people who run Tor could easily take it out again, what with it
> being open source and all.

You're an intelligent person and probably know that it's more
complicated than that. Any automatically updating mechanism to retrieve
the Hidden Service Censorship List is a massive attack vector, because
two clients having two different sets of introduction points for a
hidden service, or two hidden services having different sets of
introduction points available, causes a partition in the anonymity set.

Regardless of the moral arguments you put forward, which I will not
comment on, it seems like this idea would never be implemented because
none of the Tor developers have a desire to implement such a dangerous
feature. 

If you've already thought of this, as you implied in another email, why
bring it up? Do you think you'll get the Tor community to agree to
enable such a damaging attack? 

Further, why do you think such infrastructure would be remotely
successful in stopping botnets from using the Tor network? A botnet
could just generate a thousand hidden service keys and cycle through
them. 

So, this would be:

      * Socially damaging, because it would fly in the face of Tor's
        anti-censorship messaging
      * Technically damaging, because it would enable the worst class of
        attacks by allowing attackers to pick arbitrary introduction
        points
      * Not technically helpful against botnets, because they can just
        cycle keys
      * Not even technically helpful against other content, because they
        can change addresses faster than volunteers maintaining lists of
        all the CP onionsites can do the detective work (which you
        assume people will want to do, and do rapidly enough that this
        will be useful)

Let's skip all the "devil's advocate" discussion. It isn't useful and
it'll cause traffic on this thread to blow up more than it already has. 

Instead, why don't you just present the strongest counterarguments
you've thought of against this proposal, which surely include the above,
and then the strongest counterarguments to those arguments, which
justify your position and have caused you, as an intelligent person,
bearing all those negative effects in mind, to *still* hold this
position. 

-- 
Sent from Ubuntu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140721/80cb28d8/attachment.sig>

More information about the tor-dev mailing list