What is the OnionShare use case?
What are the anonymity expectations of OnionShare users?
I can imagine an implementation where a one-shot single onion service
is used to transfer one file. But in this case, the user's IP address is
available to:
* the (service-chosen) introduction points, and
* the (client-chosen) rendezvous point(s).

This is true whether the single onion service is a separate tor instance
(the only mode permitted by the current implementation), or a service
making single-hop connections in the same tor instance as services
making multi-hop connections.

Here's a simple attack that de-anonymises some fraction of users using
this implementation:

1. Run some number of HSDirs and relays
2. When a new descriptor is received at your HSDir, set up a rendezvous
to that service using your relay as a rendezvous point
3. If the IP address connecting to that relay is not in the consensus,
it is probably a single onion service

(This attack is not possible with next-generation hidden services,
because HSDirs cannot decrypt the descriptor without knowing the
onion address.)

The single onion service implementation is designed to protect against
accidental exposure of onion service IP addresses via attacks like this.
It's designed for use cases where an expert administrator specifically
decides to disable responder anonymity, typically for performance.

It has the following semantics:

* the single onion service mode is global: it affects all services on a
tor instance

If services can be correlated via side-channels (such as uptime), the IP
address of a single onion service could be linked to an anonymous
service on the same tor instance. (If multiple tor instances are running
on the same IP/machine/network, they can still be correlated, and this
mitigation does not affect that.)

* the single onion service mode can not be changed at runtime

This protects against linking past and future service connections, some
single-hop, some multi-hop.

* once a hidden service key (= .onion address) is generated in a
particular anonymity mode, it can not be used in the other mode

This protects against the accidental re-use of an anonymous key in
single onion service mode, linking that key to an IP address.
These option changes are not allowed at runtime, because apart from the
linkability issues, there is no way to change the number of hops in
existing hidden service connections, and the semantics are ill-defined:
It's not possible to turn a single-hop connection anonymous, and it's
not safe to make an anonymous connection single-hop.

And Damian is right: we have not been keeping
options_transition_allowed() in sync with the tor man page for some time.
Here is a fix:
https://trac.torproject.org/projects/tor/ticket/21122
When you set the option on startup, an appropriate warning about
SocksPort is issued. (Any SETCONF on these options fails
because changing them is not allowed.)

We decided not to disable the SOCKSPort automatically, because we
thought users might not like their SOCKSPort disappearing when an
unrelated option was set. Instead, we updated the documentation:
https://trac.torproject.org/projects/tor/ticket/20487

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------

Thank you, this is good to know!

For my specific use-case, it would be great if you could pass an
argument to ADD_ONION that makes that specific onion service
non-anonymous, without changing anything globally.

But for the time-being I won't add support for non-anonymous onion
services to OnionShare.