Remove the "Prioritize .onion sites when known" option
Paul Syverson brought this research up confidentially to @rhatto, @micah & security@tpo over the weekend, and we're clear to work on it in a coordinated disclosure framework.
They wanted to know who else would access this bug, and I mentioned @richard & @pierov.
In short, they're proposing us to disable automatic .onion sites prioritization until we implement a way to disjoint it from the clear site visit, because the immediate redirection makes the traffic easy to fingerprint.
(Their paper (under embargo!), and their message:
I and my co-authors (Rasmus Dahlberg, Tobias Pulls, and Rob Jansen) have submitted a paper to PoPETs last week. We had been sharing drafts with rhatto leading up to submission, but I believe he has been too swamped to more than glance at any of them. I am attaching the submitted draft, please do not share with anyone else unless you get an OK from an author first.
The paper describes a vulnerability with Onion-Location. I don't see it as significantly worse than other vulnerabilities I have already reported---and presented at sessions in Costa Rica at the last in-person meeting (lacks transparency, facilitates site hijack, and onion association is trivially blockable). But rhatto thought it worth bringing up, so here goes.
The main new issue is that Onion-Location is fingerprintable by a guard adversary with high accuracy (99.9%). Onion services access is already quite fingerprintable, and onionspace is already small enough that fingerprinting attacks on individual onionsites is a concern. But as we also describe in the paper, there are only about 1500 stable and available Onion-Location sites (at time we did the measurement). Plus, Onion-Location facilitates Website Oracles.
In the paper we make two immediate recommendations and then also research recommendations. The immediate recommendations are
Any site offering Onion-Location for which its target user population is in significant danger if their connecting to the site is detectable with high accuracy should stop offering Onion-Location immediately.
Tor Browser should immediately stop offering an automatic Onion-Location option.
(So remove the "Prioritize .onion sites when known" setting option.)
I would be happy to report in the version of the paper we make public that Tor has implemented the recommendation to stop offering automatic Onion-Location and/or to work with you to develop appropriate alternatives such as we discuss in the paper.