Updated Security researchers speaking at the Hack in the Box conference in Amsterdam this week have demonstrated that users of hidden services on Tor are putting themselves at risk of being identified – if an attacker is willing to put in the time and resources.

The discovery is significant, because browsing hidden services had been thought to be more secure than the more typical practice of using the Tor network to browse the open web anonymously.

Not so, say Filippo Valsorda, a member of CloudFlare's security team, and George Tankersley, an independent researcher. In their presentation, the pair showed that it's surprisingly easy to subvert anonymous access to a hidden server – and thus possibly identify a user of that server – if you're sneaky about it.

That's bad, because hidden services are operated not just by dodgy sites like the Silk Road but also by legitimate sites like Facebook. Tor often hits the headlines for enabling things like online drug souks and other criminal operations, when it can be and is used by journalists, whistleblowers, security researchers, and anyone who values their privacy, to exchange information and surf the web anonymously.

"If you run a hidden service that does not need location hiding, you are unnecessarily exposing your users to this risk," the researchers said. "It would probably be better to let them use Tor on your TLS-enabled clearnet site."

When using Tor to browse the open web anonymously, you log into an entry point server and then your traffic is rerouted and fed out of an exit server, disguising your IP address. The weakness in this approach is that it would technically be possible to run enough rogue entry and exit nodes to link where users hop onto the Tor network to where they hop off. It would require massive resources and for Tor operators not to notice, but it's possible.

Hidden services eliminate this possibility, because all traffic stays within the Tor network itself. There's no exit node to link to an entry node, which is why using hidden services is thought to be more secure.

Hidden services require the use of HSDir (hidden service directory) nodes to operate, two sets of three apiece. These nodes manage connections to the hidden service, and it only takes four days of continuous operation for an HSDir node to be considered "trusted."

The two suggest an attacker could identify users' connections by running rogue HSDir nodes themselves, something that had been thought hard to do but is actually relatively easy and computationally cheap to pull off. To demonstrate, they set up such nodes and then successfully convinced Facebook's hidden service to accept most of them as its HSDir providers.

"You can substitute a malicious HSDir (which we demonstrated are much easier to become) instead of an exit node in that process," Tankersley told The Reg.

"Since HSDirs can serve that purpose, but are more weakly protected than exit nodes, it is easier to attack hidden service users in this way than people who are just connecting to normal websites through Tor."

"Since this is quite counterintuitive, we thought people should know about it. But you still need control of something on the "entry" side of the connection before you can identify anyone."

There are ways for site operators to protect against this, however. Hidden service providers are advised to be very wary of young HSDir nodes – or even better, to run their own HSDir nodes, which has the benefit of also providing a warning if other HSDir nodes try to attach themselves to the service.

The researchers have released software tools to help spot dodgy HSDir nodes and they say that a proposed change to the Tor software for hidden services could stop this kind of correlation attack. A spokesperson for the Tor Project could not be reached for comment.

In the meantime, caveat empTor. ®

Updated to add

Kate Krauss, Tor's director of communications, told us after the publication of this article: "We exist to safeguard users. If we ever do have an attack that threatens our users, we will publish a blog post about it on our web site and then tweet it @TorProject to make sure that lots of people see it."