Hidden stealth service

devildancer · November 22, 2021, 7:00pm

hello, im doin an investigation about tor for my project of college. As a result i found out about the hidden stealth (?) services. My question now is, whats the difference between hidden services and hidden stealth services, if there are this stealth services. I couldnt find any helpful posts.
Thx a lot.

joedoe47 · November 22, 2021, 7:37pm

When it comes to hidden services. The stealth option has been changed to “client authorization”. In where you run a hidden service but tor will check if the person connecting has a special key to be able to access your hidden service.

This is great if you have only ‘N’ number of small users who will access your site. (and you have to know these small users because you have to manually give them the key to access it via email, in person, in usb, etc)

Tor Project | Client Authorization

devildancer · November 22, 2021, 7:48pm

thanks a lot!

smuggler · December 1, 2021, 1:44pm

So my understanding is, that normal “Hidden Services” are listed in the Tor directory and therefore discoverable. What can attackers do with the information listed in the directory and can I proactively do something to harden against such attacks?

And further, do authenticated hidden services prevent these kind of attack vectors? I.e. do outsiders already have contact to my authenticated hidden service" or is the key check done somehow and somewhere before?

Background of this question comes from watching the following video (starting at minute 1:30):
https://inv.riverside.rocks/watch?v=n3EWENfaMOs&t=90

gus · December 1, 2021, 2:10pm

Nope. There isn’t a “Tor Directory”.

Please read: Tor Project | Client Authorization

smuggler · December 1, 2021, 2:43pm

Thanks for the answer. I think I imagined the distributed hash table as a kind of “Tor Directory” which is obviously wrong.

So in the hash tables one can find just the addresses of the 3 introduction points, not my hidden service, right? These introduction points will also check if the connecting client has the authentication keys needed I reckon? So if a client can’t provide them no single data packet from them will reach my hidden service?!

devildancer · December 1, 2021, 3:10pm

yeah in the DHT u can only find the IPs of the intro. points and the HS public key. The HSDir gives the DHT to the Client and the Client can encrypt the hash table cause the hash of the table is the onion adress. the client then connects to one random introduction point which is already in line with the HS. The HS then decides if he wanna talk to the client.
Thats how i understand it works in general.

gus · December 1, 2021, 3:13pm

Yes, your onion service will upload an encrypted data to HSDirs. If you enable client authorization, clients won’t connect without the private key. You can use client authorization to protect your Onion Service against DoS attacks (see our docs).