End of #MoreOnionsPorFavor campaign
by ggus | August 25, 2020
This week we're officially wrapping up the campaign #MoreOnionsPorFavor. Non-profits, companies, media outlets, whistleblower platforms, service providers, hackerspaces, security conferences, bloggers, and web developers joined the campaign to make the web more secure. We will email swag winners in the next few days.
Over the last month, onion services operators and our broad community celebrated and deployed a brand new feature called Onion-Location. The feature, a purple pill in the URL bar, advertises to users that there’s a more secure way to connect to a site by using onion services. Even though onion service saw the light of the day more than 15 years ago, #MoreOnionsPorFavor was our first outreach campaign to run onion sites, and more specifically to deploy Onion-Location.
As part of the Tor Project's mission, we're a non-profit with the goal to educate users about anonymity and privacy technologies that we build. During the campaign, we've learned that although many people know about the vanilla onion routing design, where a user connects over three relays to reach a website, many technologists aren't aware of how onion services actually work or what is needed to onionize a website.
That is why the campaign and the Onion-Location feature are both important: together, they educate users that onion services are just a secure way to access the internet, like HTTPS but without metadata. The campaign was also a great opportunity for websites to advertise or remind users that they have an onion site. That was the case for FragDenStaat.de, a non-profit organisation from Germany:
We have been serving Tor browser traffic on our domain via our hidden service [onion service] for a while through use of the Alt-Svc HTTP header, but your blog post gave us the incentive to make our onion service more visible.
In addition, for many onion services operators, the possibility of having their online services reachable worldwide and bypassing local censorship is an important motivation for the adoption of onion services technology. This is the specific case of media outlets that are looking to ensure and promote press freedom. Joining our campaign, Deutsche Welle wrote:
DW is a global advocate for freedom of opinion and freedom of speech. […] It is therefore a logical step for us to also use Tor to reach people in censored markets who previously had limited or no access to free media.
Some of us are passionate about onions and their security properties. Over 60 organisations and individuals -- small, medium, and large onions -- have reached out to us to be part of this campaign. Setting up an onion site can be important not only for us and our users, but also to teach your colleagues and community about how important is to protect client data, like this french criminal lawyer, who shared their onion site with us:
I would like to let you know that I, a french criminal lawyer, use a hidden service [onion service] on my professional website. […] I use it to promote Tor to other lawyers who often use encrypted message services but do not consider the matter of anonymity online, even though some famous French criminal lawyers have recently been subject to highly questionable judicial interceptions. The legal battle is not exclusive to the use of technical precautionary measures such as Tor...
In the coming months, we’re going to improve the documentation of onion services section on the Community portal with the feedback collected through this campaign and with tools that we developed to help to promote onion sites. As we mentioned previously, we offered technical support for enterprises that wanted to join this campaign. If you’re reading about the campaign now and want to set up an onion site for your organisation, send an email to us: frontdesk@torproject.org.
Finally, we want to send a big thank you to all the participants and a special thank you to our friend @cyberdees, who is an unstoppable Tor advocate!
Comments
Please note that the comment area below has been archived.
Onion services with DV/SOOC…
Onion services with DV/SOOC X.509 certs when? It's time to get rid of the EV certificate snake oil!
Shout out to Deutsche Welle,…
Shout out to Deutsche Welle, which offers English language translations of important stories about US/RU cyberwar activities targeting DE which have not been covered in the US press! :-)
> In the coming months, we’re going to improve the documentation of onion services section on the Community portal with the feedback collected through this campaign and with tools that we developed to help to promote onion sites. As we mentioned previously, we offered technical support for enterprises that wanted to join this campaign
So no more tech support for onions? That would be too bad.
The news about the DDOS attacks on onions is unsettling and I still don't like the sound of the proposed fix using tokens (possibly because I don't understand the technical details), but I am glad that TP is not giving up on the very notion of onions!
One very important onion service you did not mention in the post, which IMO is in particular need of attention, are the onion mirrors of the Debian FOSS software repositories. Please work with Debian Project to maintain awareness of how bad the DDOS problem is for those onions specifically. Recall that one of the revelations from the Snowden leaks is that NSA (and presumably the "services" of other nations) freely abuses insecurities in software downloads to inject malware into user computers, quite indiscriminately even when their immediate goal is to pop a "small" list of targeted users. Note that the Snowden leak documents (and the JA analysis published by DW about a year after the first Snowden leaks were published), the "small" lists can actually include entire large classes of users, such as
o employees of ISPs, banks, energy sector, etc, from any country
o climate scientists and diplomats from a currently targeted country
o employees of local government agencies such as police or unemployment from any country
o reporters from any country, e.g. DW, TheGuardian, Washington Post,
o employees of irritant NGOs such as Wikileaks.org, irritant bloggers,
o anti-nuclear protesters, protesters against unpopular US military bases (e.g. Okinawa)
Hello, We asked some…
Hello,
We asked some Debian developers about enabling Onion-Location and they told us that it will only happen when they update OnionBalance to a newer version on their repositories. And that's why Debian onions aren't mentioned in the post.
What about small websites…
What about small websites like blogs and stuff? They should also get coverage!
Hello John, We had the…
Hello John,
We had the participation of bloggers and individuals. They got social media coverage and some of them will get a Tor swag. :)
I wish and would love if…
I wish and would love if Wikipedia had an onion. Do you remember that one time someone set up an unofficial onion of Wikipedia for fun/experiment? Do you remember how insanely popular it was before he shut it down? Yeah.
Why isn't Mozilla's domain…
Why isn't Mozilla's domain on an onion service? It seems perfectly natural...
It would be good to turn the…
It would be good to turn the Onion-Location spec proposal into an IETF Internet-Draft, and eventually become an RFC. Even if it's only an intermediate step, if it were more widely adopted it would in effect reduce load on exit nodes, no?