On Mon, May 27, 2013 at 11:39:06AM -0700, Micah Lee wrote:
Would it be fair to say that using the techniques published in this paper an attacker can deanonymize a hidden service?
Yes, if you're willing to sustain the attack for months.
But actually, this Oakland paper you're looking at is a mash-up of two paper ideas. The first explores how to become an HSDir for a hidden service (so you can learn its address and measure its popularity), and then how to become all the HSDirs for a hidden service so you can tell users it's not there. That part is novel and neat. The second idea explores, very briefly, how guard rotation puts hidden services at risk over the course of months. Imo this second issue, which I think is the one you're interested in, is much better explored in Tariq's WPES 2012 paper: http://freehaven.net/anonbib/#wpes12-cogs and you should realize that the risk applies to all Tor users who use Tor over time and whose actions are linkable to each other (e.g. logging in to the same thing over Tor).
Based on this thread it looks like there are several open bugs that need to be fixed to prevent these attacks. It seems to be that hidden services still have advantages to leak sites (sources are forced to use Tor, end-to-end crypto without relying on CAs), but for the time being the anonymity of the document upload server isn't one of them.
It still requires a pretty serious attacker to pull this off. But it is also a realistic attack for this pretty serious attacker. I guess it depends where your bar is -- it cannot, alas, be very high at this point for a low-latency network like Tor that's still pretty small. But I think it would be incorrect to say that hidden services have "no" anonymity. (Also, as you say, anonymity for the news collection website may not be its most important security property.)
The attack to compare it to would be a network-level (AS-level or IX-level) observer who watches whatever parts of the Internet it can see, and hopes that it observes a flow between Alice (the Tor client) and one of her guards. As Alice rotates guards, both due to natural relay churn and due to guard rotation, the chance that such an attacker sees one of these flows goes up. This attack is not easy to resolve, since it has to do with Internet topology, Tor network topology, and the user and destination locations relative to these.
Hidden services do seem inherently at a disadvantage, because the attacker can dictate how often they talk to the network. Whether that disadvantage is significant depends on how pessimistic you are about the rest of the problem.
See also "Measuring the safety of the Tor network" and "Better guard rotation parameters" on http://research.torproject.org/techreports.html for further background open research questions.
Is this accurate, and is there any estimate on how long do you think this will be the case? Months, years?
Depends how we end up resolving the guard rotation issue. We should raise the guard rotation period, which will screw up load balancing (and thus performance) unless we teach clients to handle it; and we should reduce the number of guards a client uses, which will increase variance of performance, making more Tor users stuck with crappy guards and hating life.
"Sooner if you help", I think is the phrase the Debian folks use? :)
--Roger