Kang td66bshwu@gmail.com writes:
Here are my thoughts regarding why merging the Hidden Service directory system and regular directory system is a bad idea.
Thanks for your thoughts.
I'm also unsure on whether ditching the hash ring system is a good idea, but here are some comments on your thoughts:
It would mean each directory server effectively has a list of every hidden service in the network. This may or may not be an issue if the descriptors are encrypted.
This should not be an issue when #8106 is implemented. We should only ditch the hash ring after #8106 gets implemented.
Additionally you could clog up the directory servers (potentially causing a DoS situation) by publishing massive quantities of hidden service descriptors. This may already be possible with router descriptors, however, I'm not sure; do directory servers store an arbitrary number of router descriptors from the same IP?
AFAIK, this should also be possible with the current state of HS descriptor publishing.
Since directory servers don't tend to change they would appear responsible for each hidden service, opening up the possibility of lawyer attacks => "we demand you stop hosting descriptors for this criminal hidden service", or "you have been aiding criminals by serving this hidden service's descriptors". Also, since they don't change it would be far more worthwhile for an adversary to try to attack or subvert them. The moving-target system that is currently in place is far stronger against these types of attacks.
IANAL, so I can't really comment on this point.
Still, it seems to me that even with the current hash ring system, someone can accuse HSDirs for hosting descriptors of an HS for the current time period. Till #8244 is solved, they can even accuse future HSDirs.
Lastly since the hidden service will be establishing a circuit to each directory server periodically it may be possible to perform statistical attacks such as a predecessor attack against it. This isn't an issue with router descriptors since the onion routers aren't trying to be anonymous, but it is an issue with hidden service descriptors.
This is worth thinking about. However, even with the current situation, Hidden Services periodically establish circuits to their HSDirs, so I'm not sure if ditching the hash ring will make any difference.