Understand the implications of publishing multiple hidden services

[special]

Ricochet currently only publishes one hidden service per client. There are a lot of things that could be improved if we could publish more of them simultaneously, or rotate them automatically.

Before that can happen, I need to understand the implications it might have for anonymity. In particular:

• Assuming the adversary knows they are related, does publishing >1 hidden service from the same client harm anonymity?
• Assuming the adversary can follow them through changes, does switching hidden service addresses harm anonymity (e.g. by effectively increasing the guard rotation interval)?
• How easily can an adversary determine that >1 hidden services are linked? How does this apply for various adversaries, e.g. simple clients, guards, ISPs, HSDirs?
• At what point does publishing services start to negatively impact the Tor network?

[hsribei]

I've started a thread about this on the tor-talk mailing list. I think it would be good to add your questions to it: https://lists.torproject.org/pipermail/tor-talk/2014-July/033819.html

[special]

Answering my own questions:

Assuming the adversary knows they are related, does publishing >1 hidden service from the same client harm anonymity?

Not significantly. The same set of guards will be used. A client publishing two services will contact twice as many HSDir, and use twice as many introduction points. At worst, this makes it more likely that a malicious relay will be chosen in one of those positions, but these relays should have limited impact.

It may be slightly easier for a guard to identify that it is being used for a hidden service, simply because there is more HS publication traffic to observe. It is probably not hard already.

Assuming the adversary can follow them through changes, does switching hidden service addresses harm anonymity (e.g. by effectively increasing the guard rotation interval)?

No. Guards are unaffected, and the set of relays used for HSDir and intro rotates very frequently.

How easily can an adversary determine that >1 hidden services are linked? How does this apply for various adversaries, e.g. simple clients, guards, ISPs, HSDirs?

Easily enough that it shouldn't be depended on for the user's anonymity. HSDir timestamps, traffic/latency patterns, the guard set, and a variety of other factors can show a relationship between services.

At what point does publishing services start to negatively impact the Tor network?

I haven't been able to find any examples of hidden services causing unreasonable load on the network. More than two per user would be excessive, and stealth-authorized services don't scale at all.

---

I'm confident enough in those answers to close this, and I'm going to write out some more detailed ideas on hidden service use.

[hsribei]

How easily can an adversary determine that >1 hidden services are linked? How does this apply for various adversaries, e.g. simple clients, guards, ISPs, HSDirs?

Easily enough that it shouldn't be depended on for the user's anonymity. HSDir timestamps, traffic/latency patterns, the guard set, and a variety of other factors can show a relationship between services.

Are you talking about traffic correlation or confirmation? Tor doesn't protect against confirmation, be it for hidden services or regular client use.

[special]

Easily enough that it shouldn't be depended on for the user's anonymity. HSDir timestamps, traffic/latency patterns, the guard set, and a variety of other factors can show a relationship between services.

Are you talking about traffic correlation or confirmation? Tor doesn't protect against confirmation, be it for hidden services or regular client use.

"Traffic/latency patterns" is referring to confirmation attacks, yes. My overall point is that it's not too difficult to "prove" that two hidden services are published from the same source, so we should be careful designing features that would depend on that to be safe.