Disable Guard usage for Tor2webMode.

Tor2webMode is fingerprintable by hidden services through repeated
usage of the same three guard nodes for its rend and intro points.

2 files changed, 20 insertions, 0 deletions

diff --git a/changes/bug6866 b/changes/bug6866
index 561676b765..ee1e571eb7 100644
--- a/changes/bug6866
+++ b/changes/bug6866
@@ -2,3 +2,7 @@
     - Convert an assert in the pathbias code to a log message. Assert
       appears to only be triggerable by Tor2Web mode. Fixes bug 6866;
       bugfix on 0.2.3.17-beta.
+    - Disable the use of Guard nodes when in Tor2WebMode. Guard usage
+      by Tor2Web clients allows hidden services to identity tor2web
+      clients through their repeated selection of the same rendezvous
+      and introduction point circuit endpoints (their guards).
diff --git a/src/or/config.c b/src/or/config.c
index 4557853cec..c77f7fbeea 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -2522,6 +2522,22 @@ options_validate(or_options_t *old_options, or_options_t *options,
     options->LearnCircuitBuildTimeout = 0;
   }
 
+  if (options->Tor2webMode && options->UseEntryGuards) {
+    /* Tor2WebMode is incompatible with EntryGuards in two ways:
+     *
+     * - Tor2WebMode uses its guard nodes as rend and intro points.
+     *   This makes tor2web users fingerprintable by their continued
+     *   selection of the same 3 nodes for these circuits (their guard
+     *   nodes).
+     *
+     * - Tor2WebMode makes unexpected use of circuit path lengths
+     *   in ways that prevent us from applying the PathBias defense.
+     */
+    log_notice(LD_CONFIG,
+               "Tor2WebMode is enabled; disabling UseEntryGuards.");
+    options->UseEntryGuards = 0;
+  }
+
   if (!(options->LearnCircuitBuildTimeout) &&
         options->CircuitBuildTimeout < RECOMMENDED_MIN_CIRCUIT_BUILD_TIMEOUT) {
     log_warn(LD_CONFIG,