On Fri, Apr 03, 2015 at 03:57:33PM +0100, George Kadianakis wrote: > I lean heavily > towards the "popularity is private information and we should not > reveal it if we can help it" camp
Hi George, Thanks for your thoughts. I'm currently in this camp too. > Also, these statistics are forever: even > if you didn't care about a group of users in the past, but you start > caring about them now, you can still look back and see their > development over time. To me this is one of the strongest arguments against. > -- Hidden services publish hidden service descriptors to 6 HSDirs. > This means that every day you will learn 6 noisy values for > your target hidden service, not just 1. It's easier to remove noise > that way. I think tracking popularity by looking at reporting by HSDirs would be quite easy. The main reason is that each day every hidden service picks its own new set of 6 HSDirs. So even if there is noise confusing you today, tomorrow will be a new (independent) set of noise, etc. Doing an intersection attack on these values for your target hidden service should work nicely over time. > To be honest, I have not heard convincing enough arguments that > would make me ditch popularity hiding. Some extra statistics or some > small optimizations do not seem exciting enough to me. Please try > harder. This could be a nice thread to demonstrate all the positive > things that could happen if we ditch popularity-hiding. It would be great if everybody here could do some brainstorming on this one. It would be a shame if we close a design door just because we weren't open-minded enough to think of benefits (as opposed to closing the design door because we weighed both sides and made an informed decision). > The dynamic introduction point formula > is something that we could disable by default, but also leave it as > a configurable option for people who want to use it. That is, it > will then be *the choice of the hidden service operator* whether he > cares about popularity being hidden or not. Makes sense to me. > On the normal Internet, > popularity is private by default. I wish this were more true than it is. There are all sorts of mechanisms on the 'normal' Internet that track popularity at the large scale -- verisign and other people at the top of the dns root track requests and publish summaries; ISPs track clicklogs and publish summaries; and third-party vendors sucker millions of users into installing their surveillance toolbars so they can publish summaries. So I would understand if you said "yeah, but those aren't built-in", but I think that line gets pretty blurry these days. --Roger _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
