Comments (4)
I've started a thread about this on the tor-talk mailing list. I think it would be good to add your questions to it: https://lists.torproject.org/pipermail/tor-talk/2014-July/033819.html
from ricochet.
Answering my own questions:
Assuming the adversary knows they are related, does publishing >1 hidden service from the same client harm anonymity?
Not significantly. The same set of guards will be used. A client publishing two services will contact twice as many HSDir, and use twice as many introduction points. At worst, this makes it more likely that a malicious relay will be chosen in one of those positions, but these relays should have limited impact.
It may be slightly easier for a guard to identify that it is being used for a hidden service, simply because there is more HS publication traffic to observe. It is probably not hard already.
Assuming the adversary can follow them through changes, does switching hidden service addresses harm anonymity (e.g. by effectively increasing the guard rotation interval)?
No. Guards are unaffected, and the set of relays used for HSDir and intro rotates very frequently.
How easily can an adversary determine that >1 hidden services are linked? How does this apply for various adversaries, e.g. simple clients, guards, ISPs, HSDirs?
Easily enough that it shouldn't be depended on for the user's anonymity. HSDir timestamps, traffic/latency patterns, the guard set, and a variety of other factors can show a relationship between services.
At what point does publishing services start to negatively impact the Tor network?
I haven't been able to find any examples of hidden services causing unreasonable load on the network. More than two per user would be excessive, and stealth-authorized services don't scale at all.
I'm confident enough in those answers to close this, and I'm going to write out some more detailed ideas on hidden service use.
from ricochet.
How easily can an adversary determine that >1 hidden services are linked? How does this apply for various adversaries, e.g. simple clients, guards, ISPs, HSDirs?
Easily enough that it shouldn't be depended on for the user's anonymity. HSDir timestamps, traffic/latency patterns, the guard set, and a variety of other factors can show a relationship between services.
Are you talking about traffic correlation or confirmation? Tor doesn't protect against confirmation, be it for hidden services or regular client use.
from ricochet.
Easily enough that it shouldn't be depended on for the user's anonymity. HSDir timestamps, traffic/latency patterns, the guard set, and a variety of other factors can show a relationship between services.
Are you talking about traffic correlation or confirmation? Tor doesn't protect against confirmation, be it for hidden services or regular client use.
"Traffic/latency patterns" is referring to confirmation attacks, yes. My overall point is that it's not too difficult to "prove" that two hidden services are published from the same source, so we should be careful designing features that would depend on that to be safe.
from ricochet.
Related Issues (20)
- website certificate expired HOT 4
- combine ricochet addressing with signal protocol and SMP
- Ref. #278 - Application Crashes When Removing Contact HOT 5
- working apparmor profile for debian sid
- Ricochet won't launch on Ubuntu Mate 18.04 HOT 2
- Add contacts button not visible
- Please @special do something HOT 54
- Suggestion: Focus on the Service. Do not include Tor HOT 7
- Idea of a feature: Decentralized chat groups HOT 1
- Ricochet for android? HOT 2
- Is this project still alive? HOT 2
- Public ricochet ID location HOT 4
- Ricochet for iPhone ? HOT 3
- Cannot start on Manjaro
- ricochet.im is either hacked, or misconfigured. You might want to check your server settings.
- John's keys that signed the tarball on download's page seem to have expired HOT 1
- RetroShare 0.6.6 alternative to ricochet HOT 1
- Ricochet stops working in October 2021 HOT 12
- Website's SSL certificate expired 3 days ago
- A lot of warning message at GUI
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ricochet.