On Tue, Mar 20, 2007 at 12:37:22PM -0400, James Muir wrote: > I know that hidden servers must post their descriptors to the DAs > anonymously to avoid exposing their IP addresses. Is this done through > a normal (i.e. three hop) circuit?
Yes. > I suspect it is not because in > src/or/circuitbuild.c there is a condition for creating one-hop tunnels > and a log message "Launching a one-hop circuit for dir tunnel." No, one-hop circuits are for begin_dir cells. See 6.2.1 in tor-spec.txt. They let you connect to a directory port in an encrypted authenticated manner, which can also be handy when your local network is filtering certain http requests or ports. The one-hop circuits are intended for cases where currently you'd just be making a direct connection: now you connect to the Tor server and ask to connect to its dirport. > My concern here is that using a one-hop circuit exposes the origin of > the hidden service to that onion router (i.e. the one-hop). Yep. That would be bad. >Even if the > data the one-hop relays to the DA from the OP is encrypted, the one-hop > still learns an IP address which originates some hidden service > (although, it may not be certain which one exactly). Agreed. --Roger
