These websites are naturally a target for repressive governments or law enforcement agencies who have an interest in knowing who visits them.
With the researchers' new circuit fingerprinting technique, an attacker in control of an entry guard could determine with 99 percent accuracy if a Tor circuit passing through it is used to rendezvous with a hidden service or is used for general Internet browsing. This helps eliminate the background noise and focus on hidden service circuits only.
The researchers also argue that targeting hidden services with website fingerprinting techniques is easier than general Internet websites because their content doesn't change too often.
"In our attack, we show that in the realm of hidden services, we do not have those limitations that exist in the previous attacks," said Mashael AlSabah, an assistant professor of computer science at Qatar University and one of the research's authors, via email. "This makes the previous website fingerprinting attacks more serious in the particular case of hidden services."
The researchers gathered fingerprints for 50 hidden services and found that they could determine with 88 percent accuracy when a Tor client using their entry guard was visiting one of them. They also applied the same technique with a similar rate of success to de-anonymize hidden services when the computers that hosted them used their entry guard.
Hidden services run on computers that are Tor clients themselves so they need to connect to the network through entry guards. However, the entry guards for those computers should not be able to tell which hidden services run on them, because the whole point of hidden services is to hide the IP addresses of the computers hosting them.
Instead, Tor users connect to hidden services through nodes that acts as rendezvous points and are selected according to a special algorithm.
Attackers could increase their chances of success by creating multiple entry guards. A Tor client typically chooses three entry guards and uses them for a period of 45 days on average. Every time a new connection is established, one of the three entry guards is selected.
The more entry guards under their control, the more chances attackers would have of identifying users visiting fingerprinted websites or de-anonymizing particular hidden services.
In their paper, which will be presented at the 24th USENIX Security Symposium next month, the researchers also propose changes to the Tor network that in their opinion would make circuit fingerprinting much harder.
"It's a known issue that hidden service circuits are noticeable, but this attack is very difficult to execute," the Tor Project said in an emailed statement. "The countermeasures described in the paper are interesting since the authors claim that deploying some of them would neutralize their attack and better defend against hidden service circuit fingerprinting attacks in general. This has yet to be proven."
Several Tor developers and privacy researchers will be attending USENIX and are interested to see the research published. "We encourage peer-reviewed research into both attacks against and defenses of the Tor network."
Sign up for CIO Asia eNewsletters.