That's not the case with Tor hidden services and in fact attackers could quite easily and with 100 percent reliability take control of all the rendezvous points between Tor users and specific Tor hidden services, at least for a period of time.
Tor hidden services rely on nodes with a special HSDir (hidden service directory) flag to advertise themselves on the Tor network so they can be discovered by users. Every hidden service will select six HSDir nodes to serve as its rendezvous points on a given day. This selection is done from a pool of around 4,000 nodes based on a predictable date-dependent formula.
With this formula both a Tor client and a Tor hidden service should select the same 6 HSDirs on a particular day. However, the researchers found that they could use brute force techniques to generate the keys needed for their own nodes to take up those rendezvous positions for a specific day.
The researchers managed to place their own nodes as the 6 HSDirs for facebookcorewwwi.onion, Facebook's official site on the Tor network, for the whole day on Thursday. They still held 4 of the 6 spots on Friday.
Brute-forcing the key for each node took only 15 minutes on a MacBook Pro and running the Tor relays themselves cost US$62 on Amazon's EC2 service.
New nodes receive the HSDir flag automatically after being up for around five days and attackers could set up nodes to become the HSDirs for a particular hidden service for the next five days with around US$200, the researchers estimated.
This technique will give attackers control over one end of the connection, but in order to perform traffic correlation attacks the attacker would also need to have visibility into the entry point. This can be achieved by someone who can monitor users' traffic before it enters the Tor network.
For example, a government monitoring its Internet users through ISPs could use this attack to perform traffic analysis and determine who visited a dissident site hosted on Tor. A law enforcement agency could do the same with the help of ISPs to identify who is visiting an illegal website that runs as a Tor hidden service.
The goal of the two researchers was to prove that "hidden service users face a greater risk of targeted de-anonymization than normal Tor users," because it's much easier to reliably control all HSDirs for a specific hidden service than to control all Tor exit relays that might be used to access a website.
Runa Sandvik, a security researcher and former Tor developer who was at the conference, agreed that it's technically easier to pull off such an attack than to monitor Tor exit traffic, but pointed out that the Tor Project is aware of the issue and has been working on a fix for some time.
Sign up for Computerworld eNewsletters.