[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Hidden Services Questions (mostly) Please?

On Mon, Mar 31, 2014 at 08:48:44PM -0400, me wrote:
> Bare with me as I ramble my way toward hidden services.
> First a plain server connect:
> Assuming a simple web client using Tor to contact a normal web page, NOT
> HTTPS for simplicity.
> Client <=> Node A <=> Node B <=> Node C <-> HTTP Server
> Node "C" (exit) sees unencrypted traffic to the server and can monitor
> everything.


For those following along at home, check out

> Assuming I set up more than 3 nodes in a circuit, can any of the nodes
> determine how many nodes I'm using?

The first one knows that it's getting a connection from a non-relay so
can guess it's you. The last one knows it's being asked to exit to the
http server. The middle one(s) know it's not the first or last. If you
have multiple middle ones, they could perhaps use timing to guess what
hop they are.

We don't claim to hide from relays what position they are in the circuit,
since it seems hard to reliably hide it.

Also, it's really the first and last relays you should be concerned about:

> Now Hidden service:
> Client <=> A <=> B <=> C <=> Rendezvous <=> D <=> E <=> F <~> Hidden Server

Actually the client picks three hops and the hidden service picks
three hops, so there is no 'C' hop.

> I assume that unlike the non-HS, "C" is not equivalent to an exit node and
> C <=> Rendezvous is encrypted?

B <=> Rendezvous is encrypted yes.

> Does "C" know it is the last node before connecting to a Rendezvous?

B does not know it's the last node before connecting to a relay that's
used for rendezvous. However, B can know it's not the first hop, and
can look at Rendezvous's exit policy and learn that you're probably
not exiting from it, meaning you're probably doing something else. This
isn't something we try to (or think we can) hide. So, "assume yes but
maybe it's hard in practice".

> Is the F <~> Hidden Server connection encrypted or not?

It is. Exactly like the "client <=> A" hop is encrypted.

> Does "F" know it is the last node and connecting to a Hidden Service?

F can know it's the guard (first hop) for a Tor client. We assume it
can look at the traffic patterns and guess that the client it's being
a guard for is probably offering a hidden service. So, "assume yes".


tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to