On Fri, Apr 03, 2015 at 03:57:33PM +0100, George Kadianakis wrote:
I lean heavily towards the "popularity is private information and we should not reveal it if we can help it" camp
Hi George,
Thanks for your thoughts. I'm currently in this camp too.
Also, these statistics are forever: even if you didn't care about a group of users in the past, but you start caring about them now, you can still look back and see their development over time.
To me this is one of the strongest arguments against.
-- Hidden services publish hidden service descriptors to 6 HSDirs. This means that every day you will learn 6 noisy values for your target hidden service, not just 1. It's easier to remove noise that way.
I think tracking popularity by looking at reporting by HSDirs would be quite easy. The main reason is that each day every hidden service picks its own new set of 6 HSDirs. So even if there is noise confusing you today, tomorrow will be a new (independent) set of noise, etc. Doing an intersection attack on these values for your target hidden service should work nicely over time.
To be honest, I have not heard convincing enough arguments that would make me ditch popularity hiding. Some extra statistics or some small optimizations do not seem exciting enough to me. Please try harder. This could be a nice thread to demonstrate all the positive things that could happen if we ditch popularity-hiding.
It would be great if everybody here could do some brainstorming on this one. It would be a shame if we close a design door just because we weren't open-minded enough to think of benefits (as opposed to closing the design door because we weighed both sides and made an informed decision).
The dynamic introduction point formula is something that we could disable by default, but also leave it as a configurable option for people who want to use it. That is, it will then be *the choice of the hidden service operator* whether he cares about popularity being hidden or not.
Makes sense to me.
On the normal Internet, popularity is private by default.
I wish this were more true than it is. There are all sorts of mechanisms on the 'normal' Internet that track popularity at the large scale -- verisign and other people at the top of the dns root track requests and publish summaries; ISPs track clicklogs and publish summaries; and third-party vendors sucker millions of users into installing their surveillance toolbars so they can publish summaries.
So I would understand if you said "yeah, but those aren't built-in", but I think that line gets pretty blurry these days.
--Roger