An HSDir is a Tor node that any user connecting to a .onion has to contact to receive the routing information that allows it to contact the hidden service. Because of how hidden services select their HSDir nodes from the set of available Tor nodes, an attacker can reliably and deterministically position itself as the HSDir for a given .onion by bruteforcing identity keys. This gives the attacker a “ping” when someone wants to connect to a .onion, and the attacker can correlate that connection like it would correlate traffic seen at an exit node.

What follows is that a Tor user connecting to a hidden service is strictly more vulnerable to correlation attacks than a Tor user connecting to a normal website because – unlike with exit nodes – it is possible for attackers to deterministically position themselves as one of those machines.

In this talk we cover the analysis we performed against a list of well known hidden services and will release a web app to analyze any given .onion and a tool to monitor the network for suspect node behavior.