Quote from: astor on June 12, 2013, 06:41 amFYI, Mike Hearn is a Google employee and Bitcoin developer.Anyway: http://dkn255hz262ypmii.onion/index.php?topic=161391.msg1160970#msg1160970The threat is real.But it can't be; here's their description of hidden services:Quote from: Section IIIThe Tor hidden service architecture:1. Internet service which is available as Tor hidden service;2. Client, which wants to access hidden service;3. Introduction Points, tor relays chosen by the hidden service and which are used for forwarding management cells necessary to connect the Client and the Hidden Service at the Rendezvous point;4. Hidden Service directories (HSDir): Tor relays at which the hidden service publishes its descriptors and which are communicated by clients in order to learn the address of the hidden service's introduction points;5. Rendezvous point (RP): a Tor relay chosen by the client which is used to forward all the data between the client and the hidden service.That's... not, quite accurate. It's leaving out guards, which is what had me thinking it was the protocol before their introduction. But sure, maybe they skimmed over it (or I missed it in my own skimming). But further on, they clearly state:Quote from: Section IIIIn order to establish a connection to a given hidden service Alice's OP [note: onion proxy] first builds a rendezvous circuit (step 4). It does this by establishing a circ uit to a randomly chosen Tor relay (OR) [note: onion router], and sending a RELAY_COMMAND_ESTABLISH_RENDEZVOUS cell to that OR. The body of that cell contains a Rendezvous cookie (RC). The rendezvous cookie is an arbitrary 20-byte value, chosen randomly by Alice's OP... ... ... Alice builds a separate circuit to one of Bob's chosen introduction points, and sends it a RELAY_COMMAND_INTRODUCE1 cell containing the IP address and the fingerprint of the rendezvous point, the hash of the public key of the hidden service (PK_ID), and the rendezvous cookie (step 5).If the introduction point recognizes PK_ID as the public key of a hidden service it serves, it sends the body of the cell in a new RELAY_COMMAND_INTRODUCE2 cell down the corrsponding circuit (step 6).When Bob's OP receives the RELAY_COMMAND_INTRODUCE2 cell, it decrypts it using the private key of the corresponding hidden service and extracts the rendezvous point's nickname as well as the rendezvous cookie.Sure, that's all well and good... except they STILL haven't mentioned the fucking guards? It's like they're analyzing the network before guards were introduced. Now in fairness they go on to talk about them when detailing their next attack, but there's weirdness there. Before skipping to VI A though, this line in V A caught my eye:Quote from: Section V AJust like any Tor client, an attacker is able to compute the descriptor IDs of the hidden service for any moment in the future and find the fingerprints of expected responsible HS directories. After that she can compute the private/public key pairs so that SHA-1 hash of the public keys would be in-between the descriptor ID and the fingerprint of the first responsible hidden service directory. The attacker then runs Tor relays with the computer public/private key pairs and waits for 25 hours until they obtain the HSDir flag.I thought you could only calculate the descriptor IDs 24 hours in advance, but whatever, skipping that: how can this be possible at all, since even assuming they get to the point of impersonating the HSDirs in question due to the properties of the distributed hash table... they still won't have the private key for those servers that the 6 (is it 6?) authoritative directories will be checking for, and so will be ignored anyway?Last bit I actually skimmed; I'm sick of quoting this paper, but again:Quote from: Section VI AIn order to confirm that an attacker controls a guard node of a hidden service she needs to control at least one more Tor non-exit relay. In the attack, the hidden service is forced to establish rendezvous circuits to the rendezvous point controlled by the attacker....If all the conditions are satisfied, the attacker decides that her guard node was chosen for the hidden service's rendezvous circuit and marks the previous node in the circuit as the origin of the hidden service.I skipped over some stuff because I"m tired, but I don't understand how this is possible, unless you're running Tor over Tor...? How can a guard ever be chosen as an introduction point for a hidden service -- the guard knows what hidden service it's a guard for, why in God's name would it blindly say "sure, I'll be the rendezvous point for my pal there!" ???