Onion Service Guard Protection - HSLayer2Nodes / HSLayer3Nodes

There is a nice little feature in Tor 3.3.1. Maybe we can enable this for users (via torrc.d) running onion services because it will provide considerable protection against guard enumeration.

Major features (onion services):

Provide torrc options to pin the second and third hops of onion service circuits to a list of nodes. The option HSLayer2Guards pins the second hop, and the option HSLayer3Guards pins the third hop. These options are for use in conjunction with experiments with “vanguards” for preventing guard enumeration attacks. Closes ticket 13837.

Mitigate guard discovery by pinning middle node (#13837) · Issues · Legacy / Trac · GitLab


Why doesn’t Tor Project make this the default?

My guess is that they are still testing it but really I feel confident about their code quality to trust this. Also even if it doesn’t work users won’t be any worse off than they are now.

Could you open a ticket please asking them to make it the default?



Got a swift reply:

IFIRC, and AFAIK, that’s why it’s not enabled by default until that problem is fixed, i.e. when the rest of the padding negotiation proposal is implemented: ​http://jqs44zhtxl2uo6gk.onion/torspec.git/tree/proposals/254-padding-negotiation.txt

1 Like

A post was split to a new topic: vanguards - Additional protections for Tor Onion Services

Just now looked into the manual Tor Project: manual

HSLayer2Nodes / HSLayer3Nodes does not seem easy to use for a Linux derivative (Whonix). Syntax is:

HSLayer2Nodes node,node,…
HSLayer3Nodes node,node,…

I.e. one has to pick nodes (Tor relays). I don’t think we should pick a default list for all Whonix users. Looks like at best this is something to document on this page:

1 Like

How practical is it to have a script enumerate the available Tor nodes from the consensus and draw a list of randomly selected nodes for each category?

Should be implemented upstream.

Conflicts with current policy Tor - Whonix

Doesn’t mean that policy couldn’t be discussed.

1 Like

Also not clear to me if vanguards - Additional protections for Tor Onion Services is a replacement for this.