It seems like having a list of all of the hidden services might be a good way for an attacker to find poorly-secured systems, or to find obscure hidden sites.
Can an HSDir list hidden services? What percentage of them can a single HSDir find out about?
Yes, with the current design it can enumerate a small part of the hidden services. Assuming no attacks, each hidden service stores its descriptor to 6 HSDirs, so the probability is 6/#HSDirs for any moment in time. The hidden service picks a new set of HSDirs every 24 hours, so the probability of a hidden service being listed on a particular HSDir increases dramatically the longer you run your hidden service. New designs are in the works to make this infeasible.
