Aeris writes: > > Does it apply also to traffic going from/to hidden services? How safe are > > users of hidden services when compared to users that browse clearnet with > > Tor? > > Correlation is possible but very more difficult, because 3 nodes for client > to > rendez-vous points, then 3 others for rendez-vous to HS.
As I said in my previous message, I don't think this is the case because the correlation just requires seeing the two endpoints of the connection, even without knowing the complete path. This is even possible with a hidden service because the server that provides the hidden service also uses an entry guard of its own, which is the "endpoint" for traffic correlation purposes when a user is contacting the hidden service, despite the much longer (and so harder to observe) path within the Tor network. The lack of security improvement from longer path lengths is described in https://www.torproject.org/docs/faq.html.en#ChoosePathLength > Strength of HS is also to not have clearnet output, even if the « exit » node > of one of the circuits id compromised, an attacker can’t access clear data. > Not the case on the standard case, when compromised exit node have access to > all the user data if HTTPS is not used. That's definitely an improvement, although there's an issue in the long run that the crypto in HTTPS is getting better faster than the crypto in Tor's hidden services implementation. :-) -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk