[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: posting hidden service descriptors
On Tue, Mar 20, 2007 at 12:37:22PM -0400, James Muir wrote:
> I know that hidden servers must post their descriptors to the DAs
> anonymously to avoid exposing their IP addresses. Is this done through
> a normal (i.e. three hop) circuit?
Yes.
> I suspect it is not because in
> src/or/circuitbuild.c there is a condition for creating one-hop tunnels
> and a log message "Launching a one-hop circuit for dir tunnel."
No, one-hop circuits are for begin_dir cells. See 6.2.1 in
tor-spec.txt. They let you connect to a directory port in an encrypted
authenticated manner, which can also be handy when your local network
is filtering certain http requests or ports. The one-hop circuits
are intended for cases where currently you'd just be making a direct
connection: now you connect to the Tor server and ask to connect to
its dirport.
> My concern here is that using a one-hop circuit exposes the origin of
> the hidden service to that onion router (i.e. the one-hop).
Yep. That would be bad.
>Even if the
> data the one-hop relays to the DA from the OP is encrypted, the one-hop
> still learns an IP address which originates some hidden service
> (although, it may not be certain which one exactly).
Agreed.
--Roger