Tor Connections To Hidden Services Could Be Easy To De-Anonymize

angry tapir writes with news of a report presented Friday at Hack In The Box which outlines a counterintuitive fact about Tor: Identifying users who access Tor hidden services — websites that are only accessible inside the Tor anonymity network — is easier than de-anonymizing users who use Tor to access regular Internet websites. That's because the addresses of the Hidden Service Directories (HSDirs) used to index those Tor-network-only sites, though shuffled daily, can be predicted (and hijacked) with cheap brute-force techniques. "The researchers managed to place their own nodes as the 6 HSDirs for facebookcorewwwi.onion, Facebook's official site on the Tor network, for the whole day on Thursday. They still held 4 of the 6 spots on Friday. Brute-forcing the key for each node took only 15 minutes on a MacBook Pro and running the Tor relays themselves cost US$62 on Amazon's EC2 service.

The good thing is

[gweihir]

TOR is getting a lot more research attention now. That can only make it stronger in the long run.