GitLab

Anyone who can connect to a tor client can discover which HSs have been accessed recently, by running a timing attack against the HS cache. Cached descriptors return much faster than uncached descriptors.

This may be possible through browser JavaScript attempting HS connections and timing the responses.

An observer on the network or in control of an HSDir could potentially enhance this timing attack with network request correlation.

Yawning suggests a cache for each stream-isolation context, to avoid this issue.

Each stream-isolation cache would most likely have 0 or 1 HS descriptor in it - 0 if the URL is not a HS, and 1 if it is.