Delivery-Date: Wed, 02 Jul 2014 02:41:47 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 981E41E0C63
	for <archiver@seul.org>; Wed,  2 Jul 2014 02:41:45 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 32B3C2FC08;
	Wed,  2 Jul 2014 06:41:45 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 652ED2FB9C
 for <tor-talk@lists.torproject.org>; Wed,  2 Jul 2014 06:39:55 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id UjDWhJpzU19n for <tor-talk@lists.torproject.org>;
 Wed,  2 Jul 2014 06:39:55 +0000 (UTC)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 3FE762F6E1
 for <tor-talk@lists.torproject.org>; Wed,  2 Jul 2014 06:39:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org;
 s=mail2; 
 h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date;
 bh=BhJbswov60bB4UogMwS9rjjNmVmS5XCMit74OIkcQ5U=; 
 b=7oXk+DpZSIcQe41CED/LGwL+8FhHigNdNAL0FmU47KvDCv0YhqK0lEQei9N1ZJGvXWGe/zDHKhszUopfvD/46yj2wx5tSOB0nuMm2leD9Dz2WuX5awgvHthstVyCN4iqW8qtEzAkiFdSOhQV+McHW5vDbUO009BY/1XYm1hDkdo=;
Received: ; Tue, 01 Jul 2014 23:39:51 -0700
Date: Tue, 1 Jul 2014 23:39:51 -0700
From: Seth David Schoen <schoen@eff.org>
To: tor-talk@lists.torproject.org
Message-ID: <20140702063951.GU27275@mail2.eff.org>
References: <f0ed32b8cebd1062c60b786d04a9ecf0@openmailbox.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <f0ed32b8cebd1062c60b786d04a9ecf0@openmailbox.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [tor-talk] How to identify owners of .onion services?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

williamwinkle@openmailbox.org writes:

> How would it be possible for an adversary to learn that Person X
> rented a Tor hidden server from a hosting company that provided
> .onion domains and hosting (assuming that Person X paid for his/her
> hosting with Bitcoins and did not do anything stupid to tie his or
> her 'clear web' identity to his or her .onion identity)?

One avenue of attack would be the channel of communication that that
person uses to administer the server.  For example, they might use ssh
over Tor to log in to administer it.  A very powerful adversary, or an
adversary who was already watching a particular user and a particular
server or hosting facility, could try to associate these traffic flows.

Another avenue would be trying to deanonymize the payments.  Bitcoin has
some risks for users' anonymity, including observing the IP address
that relayed a transaction, and trying to trace the payment history of
particular coins backwards to learn where they previously came from.

There's been a fair amount of research interest in trying to find
the physical server that corresponds to a particular hidden service.
There are a lot of ideas for that; some of them involve generating
distinctive traffic to the hidden service and seeing if similar traffic
emerges somewhere on the Internet, or trying to attack or disrupt
different physical-world hosting facilities to see which attacks cause
disruption for the reachability of the hidden service.  (The adversary
can also operate Tor nodes and hope to be chosen as an entry node by
the hidden service.)  In the scenario you asked about, though, the
adversary might possibly already know where the hidden service's server
equipment is physically located and just be unsure where it was being
administrated from.

-- 
Seth Schoen  <schoen@eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

