[tor-talk] privacy of hidden services
twim at riseup.net
Wed Dec 21 19:21:00 UTC 2016
> I have a question about the privacy of hidden services. Let's say I
> create a tor hidden service and privately send the onion address to
> only two other people. Would anyone outside of myself and those two
> people be able to determine the onion address or monitor activity
> related to the hidden service such as HS descriptor uploads and
> downloads from directory servers, or connection attempts via
> introduction or rendezvous points?
Yes, HSDirs can do this since they are in position of storing and
service HS descs. Some of them are actually trying to do this for
specific HSes by bruteforcing their fingerprints to get into right place
in the hash ring (this should become infeasible after shared randomness
Also your Introduction Points are able to connect to your service and
probably figure out your .onion address (i.e. based on application data).
> Would it make a difference if the hidden service used basic or
> stealth authorization?
So yes, ideally encrypt your Introduction Points (basic) and obfuscate
identity keys (stealth) [this also encrypts sets of IPs]. Non-ideally,
use random slugs in URLs as OnionShare does (if you're doing web).
Many of these problems should be gone after prop224 got implemented.
More information about the tor-talk