[Cryptography] Are Tor hidden services really hidden?

Phillip Hallam-Baker hallam at gmail.com
Fri Feb 14 11:19:05 EST 2014

On Fri, Feb 14, 2014 at 10:50 AM, Tom Ritter <tom at ritter.vg> wrote:

> On 13 February 2014 22:35, Phillip Hallam-Baker <hallam at gmail.com> wrote:
> > 1) The attacker controls multiple rendezvous points and
> > 2) The attacker controls multiple clients, using them to make contact
> > attempts and
> > 3) Traffic to the hidden service with the drug site is an appreciable
> > proportion of the total hidden service traffic
> >
> > Then, a timing attack seems very likely to reveal the IP address of the
> exit
> > node for the hidden service which can then be unrolled in turn.
> The RP is chosen by the client, so the attacker doesn't need to
> control those. When the HS contacts the RP, it's via a Tor circuit, so
> the RP doesn't learn the HS's actual IP, only the exit IP.  This
> doesn't get you any closer to finding it though.
> The attacker needs to be come the entry point for a HS to perform a
> traffic confirmation attack. By sending lots of data to the HS from a
> client, the entry point can correlate that traffic being delivered to
> the connection, even if it can't read it.
> To protect against this attack, Tor uses Entry Guards:
> https://www.torproject.org/docs/faq#EntryGuards These aim to 'stick' a
> client (or HS) to a set of entry nodes.  If you, the attacker is in
> that set - you're good to go. But if you're not, it's much more
> difficult for you to get _into_ that set.

Again this is raising the cost of the attack, not preventing the really
determined attacker.

Operating a low latency hidden service means allowing other people to
direct packets in your direction. There are certainly ways of mitigating
the risk of dox-ing the hidden server. But the effectiveness of those
controls are going to depend on how visible the service is and how
determined an attacker is to disclose its location.

Underestimating the determination of the authorities to locate and destroy
online drugs marketplaces seems to be a habit of these people. At this
point there are more markets on the list of 'failed/scam' sites than are
operating on the http://www.deepdotweb.com/ list.

It could be that they are all being found because they are making stupid
mistakes like sending email which has to go outside the Tor system
becauseof the spam controls. But it wouldn't surprise me if we later find
that there are tens of thousands of NSA/GCHQ run nodes. The Snowden papers
we have that express concern at the difficulty of Tor intercepts are rather
old. Knowing that the NSA could not solve a problem due to lack of
resources three years ago would make me conclude they now have the
necessary resources rather than it isn't a problem.

Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140214/96223a5b/attachment.html>

More information about the cryptography mailing list