Nine Questions about Hidden Services

by ailanthus | November 16, 2015

This is an interview with a Tor developer who works on hidden services. Please note that Tor Browser and hidden services are two different things. Tor Browser (downloadable at TorProject.org) allows you to browse, or surf, the web, anonymously. A hidden service is a site you visit or a service you use that uses Tor technology to stay secure and, if the owner wishes, anonymous. The secure messaging app ricochet is an example of a hidden service. Tor developers use the terms "hidden services" and "onion services" interchangeably.  1. What are your priorities for onion services development?  Personally I think it’s very important to work on the security of hidden services; that’s a big priority. The plan for the next generation of onion services includes enhanced security as well as improved performance. We’ve broken the development down into smaller modules and we’re already starting to build the foundation. The whole thing is a pretty insane engineering job.2. What don't people know about onion Services? Until earlier this year, hidden services were a labor of love that Tor developers did in their spare time. Now we have a very small group of developers, but in 2016 we want to move the engineering capacity a bit farther out. There is a lot of enthusiasm within Tor for hidden services but we need funding and more high level developers to build the next generation. 3. What are some of Tor's plans for mitigating attacks? The CMU attack was fundamentally a "guard node" attack; guard nodes are the first hop of a Tor circuit and hence the only part of the network that can see the real IP address of a hidden service. Last July we fixed the attack vector that CMU was using (it was called the RELAY_EARLY confirmation attack) and since then we've been divising improved designs for guard node security. For example, in the past, each onion service would have three guard nodes assigned to it. Since last September, each onion service only uses one guard node—-it exposes itself to fewer relays. This change alone makes an attack against an onion service much less likely. Several of our developers are thinking about how to do better guard node selection. One of us is writing code on this right now. We are modeling how onion services pick guard nodes currently, and we're simulating other ways to do it to see which one exposes itself to fewer relays—the fewer relays you are exposed to, the safer you are. We’ve also been working on other security things as well. For instance, a series of papers and talks have abused the directory system of hidden services to try to estimate the activity of particular hidden services, or to launch denial-of-service attacks against hidden services.We’re going to fix this by making it much harder for the attacker's nodes to become the responsible relay of a hidden service (say, catfacts) and be able to track uptime and usage information. We will use a "distributed random number generator"--many computers teaming up to generate a single, fresh unpredictable random number.  Another important thing we're doing is to make it impossible for a directory service to harvest addresses in the new design. If you don't know a hidden service address, then under the new system, you won't find it out just by hosting its HSDir entry. There are also interesting performance things: We want to make .onion services scalable in large infrastructures like Facebook--we want high availability and better load balancing; we want to make it serious.[Load balancing distributes the traffic load of a website to multiple servers so that no one server gets overloaded with all the users. Overloaded servers stop responding and create other problems. An attack that purposely overloads a website to cause it to stop responding is called a Denial of Service (DoS) attack.  - Kate] There are also onion services that don’t care to stay hidden, like Blockchain or Facebook; we can make those much faster, which is quite exciting. Meanwhile Nick is working on a new encryption design--magic circuit crypto that will make it harder to do active confirmation attacks. [Nick Mathewson is the co-founder of the Tor Project and the chief architect of our software.] Active confirmation attacks are much more powerful than passive attacks, and we can do a better job at defending against them. A particular type of confirmation attack that Nick's new crypto is going to solve is a "tagging attack"—Roger wrote a blog post about them years ago called, "One Cell Is Enough"—it was about how they work and how they are powerful. 4. Do you run an onion service yourself?   Yes, I do run onion services; I run an onion services on every box I have.  I connect to the PC in my house from anywhere in the world through SSH—I connect to my onion service instead of my house IP. People can see my laptop accessing Tor but don’t know who I am or where I go.  Also, onion services have a property called NAT-punching; (NAT=Network Address Translation). NAT blocks incoming connections;it builds walls around you. Onion services have NAT punching and can penetrate a firewall. In my university campus, the firewall does not allow incoming connections to my SSH server, but with an onion service the firewall is irrelevant. 5. What is your favorite onion service that a nontechnical person might use?  I use ricochet for my peer to peer chatting--It has a very nice UI and works well. 6. Do you think it’s safe to run an onion service?  It depends on your adversary. I think onion services provide adequate security against most real life adversaries.However, if a serious and highly motivated adversary were after me, I would not rely solely on the security of onion services. If your adversary can wiretap the whole Western Internet, or has a million dollar budget, and you only depend on hidden services for your anonymity then you should probably up your game. You can add more layers of anonymity by buying the servers you host your hidden service on anonymously (e.g. with bitcoin) so that even if they deanonymize you, they can't get your identity from the server. Also studying and actually understanding the Tor protocol and its threat model is essential practice if you are defending against motivated adversaries.7. What onion services don’t exist yet that you would like to see?  Onion services right now are super-volatile; they may appear for three months and then they disappear. For example, there was a Twitter clone, Tor statusnet; it was quite fun--small but cozy. The guy or girl who was running it couldn’t do it any longer. So, goodbye! It would be very nice to have a Twitter clone in onion services. Everyone would be anonymous. Short messages by anonymous people would be an interesting thing. I would like to see apps for mobile phones using onion services more—SnapChat over Tor, Tinder over Tor—using Orbot or whatever.  A good search engine for onion services. This volatility comes down to not having a search engine—you could have a great service, but only 500 sketchoids on the Internet might know about it. Right now, hidden services are misty and hard to see, with the fog of war all around. A sophisticated search engine could highlight the nice things and the nice communities; those would get far more traffic and users and would stay up longer. The second question is how you make things. For many people, it’s not easy to set up an onion service. You have to open Tor, hack some configuration files, and there's more.We need a system where you double click, and bam, you have an onion service serving your blog. Griffin Boyce is developing a tool for this named Stormy. If we have a good search engine and a way for people to start up onion services easily, we will have a much nicer and more normal Internet in the onion space.  8. What is the biggest misconception about onion services?  People don't realize how many use cases there are for onion services or the inventive ways that people are using them already. Only a few onion services ever become well known and usually for the wrong reasons. I think it ties back to the previous discussion--—the onion services we all enjoy have no way of getting to us. Right now, they are marooned on their island of hiddenness.  9. What is the biggest misconception about onion services development? It’s a big and complex project—it’s building a network inside a network; building a thing inside a thing. But we are a tiny team. We need the resources and person power to do it.  

(Interview conducted by Kate Krauss)

Comments

Please note that the comment area below has been archived.

November 17, 2015

Permalink

Great article! I assume soon to see at least 100 twitter clones and still no _good_ search engine (to be fair, the current ones are pretty good for what they are)

Some yes, i am at work and cant look for the next hours but there have been at least 3 search engine releases in the last half year on /r/onions. Next to that there is Torch and Not Evil

November 17, 2015

Permalink

brillant ! hope this means we get some updated tutorials on the various magic stuff that can be done with hidden services.

November 17, 2015

Permalink

Namaste,

Great work Kate. Thank you for the write up. As it is said 'if you build it, they (programmers) will come."

I, myself will be sure to work on this effective immediately.

Carry on!

Namaste
imu.

November 18, 2015

Permalink

something is wrong with onion service , it is not so secure & safe that it claims it !
most of time, i cannot access at the onion site of my choice.
are the server compromised or is it prohibited from my isp / rogue-state_country ?
i do not know....

November 18, 2015

Permalink

Great interview!
Bitsquare.io a decentralized Bitcoin-Fiat (or Bitcoin-Altcoin) exchange is using Tor Hidden Services as base for its P2P network (using a flooding algorithm). It is still under development but should be released in january.

November 18, 2015

Permalink

"Since last September, each onion service only uses one guard node—-it exposes itself to fewer relays."

Do you have reference for this? Where can it be checked?

'NumEntryGuards NUM' - where is the restriction for NUM be in 0...1??? Or you are just joking?! I don't believe network are turned to FORCE clients behavior and tor have some hidden ways to change clients configuration file. Consensus is just a recommendation.

November 19, 2015

Permalink

Why all the comments disappearing?

So in otherwords there is no workaround or stop for guard node intrusion currently?

How prevenlant can we expect this to be?....realsitically as posssible please.

The more I research Tor, the less secure it is in my mind.

There is trouble with comments because someone is spamming us with comments, and is filling up the database making it hard to spot valid comments and approve them.

I'm not sure what you mean by "guard node intrusion", but in general it's very hard to _completely stop_ guard node attacks in low-latency scenarios. This is because hidden services use long-term connections (that's how the web works) and hence they need to connect to a relay which learns their IP.

This is almost unavoidable with the current architecture of our onion routing. The question then becomes "how can we minimize the number of relays that get to see the IP of the hidden service". If we minimize this number, and assuming we have enough relays on the network, these attacks should be very unlikely. We are working on this these days!

There is trouble with comments because someone is spamming us with comments, and is filling up the database making it hard to spot valid comments and approve them.

I think that there is also other problems, because there is empty comments with date December 31st, 1969.

I think that this date is "-1".

> The more I research Tor, the less secure it is in my mind.

Well, don't confuse the issue of safeing this blog against spammers (which the Project has stated is a low priority) with keeping Tor itself and TB and TM safe, which are completely different things. If you read this blog carefully over the next few months, you'll probably begin to understand why things are not nearly as bad as your first impression might have led you to believe.

Tor Project faces many threats from many determined and capable adversaries, but the core software (Tor itself) has many strengths and has proven amazingly resistant to all but a handful of known attacks. When effective attacks have come to light, the Project has almost always been able to fix them quickly. The ones it can't fix easily mostly involve things like PKI and rogue CAs which are too big for Tor Project to address alone, but even here the wider community is more and more determined to force internet vendors to fix these problems.

November 19, 2015

Permalink

fter accessing some specific websites you can notice the search bar displays a plus sign green icon, if I click and add this engine to my Tor Browser, would it track and log every time I use the function? The search provider knows the user when the user added its search addons and by later changing the search code and the user dosen't add its new code. From the keywords you have seached by its addons which provides the specific code so the provider may get your important personal informations.

firefox feature. I never knew what that was. now i see, when i click it.
it looks like you can add a search engine to searchplugins in the profile directory (folder). if true, then the new search plugin will be a new xml file, which you can read and edit with text editor.

> the new search plugin will be a new xml file, which you can read and edit with text editor.

What worries some users is the possibility that website operators might be able to exploit a vulnerability in FF (which might also be present in TB) to also read and edit, and perhaps to recover a web-surfing log of the current TB instance.

This is probably less likely with Tails, but in the absence of informed comment I worry that it could be problem for TB.

Do the TB devs have any comment?

They definitely won't have any comment here (on this unrelated blog post). I suggest asking them in a venue where they're paying attention.

From my cursory look at the thread here, I don't see how adding another search option has anything to do with keeping a websurfing log.

December 14, 2015

In reply to arma

Permalink

> I don't see how adding another search option has anything to do with keeping a websurfing log.

I've noticed that some websites seem able to fiddle with TB to set their favorite search engine (e.g. the duckduckgo icon appears) and that worries me. (It's not the choice of search engine which worries me, it's the impression that the website can reset at least some TB settings.)

December 18, 2015

In reply to arma

Permalink

Can I do that anonymously, without an email account? What link should I look at? Problem might be moot now that theregister.co.uk seems to be blocking Tor.

November 19, 2015

Permalink

Nice interview and good job pointing out the need for some more easy to set up software and especially the blogging part.

If there was a secure and easy to set up onion blogging platform, even without all the bells and whistles, that would be a great step forwards for freedom of speech.

i believe it is as simple as :
1)get hardware
2)install/load (as example) freebsd in memory (use your notebook etc)
3)fill disk(s) with random data (if you need permanent storage)
4)encrypt full disk(s) with geli
^ one time only steps ^
5)install virtualbox
6)create firewall-vm, tor-vm, blogging.platform-vm
for more details use your brain and enjoy
hard reset and there are only disks with random data...
(just one small problem with geli and freebsd.apple ...)
all steps needed to reboot can/should be scripted.
as you are the only person who knows the passphrase and has the key file for geli nobody but you can reactivate this platform.

November 19, 2015

Permalink

Thanks for the reply asn. I really hope something comes to a viable fruition. It's disconcerting using Tor even with Tails after reading about these attacks.

The commenter's suggestion on the vps sounds interesting though. Thanks

Assuming you are both talking about what I know as VPNs, these can be useful, but when it comes to cybersecurity, there are no magic bullets. You may want to look up NSA/ANT's FEEDTROUGH malware targeting VPNs using commercial devices sold by Juniper, which may well be the "unauthorized code" discussed in this story:

http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-fi…
“Unauthorized code” in Juniper firewalls decrypts encrypted VPN traffic
Backdoor in NetScreen firewalls gives attackers admin access, VPN decrypt ability.
Dan Goodin
17 Dec 2015

> An operating system used to manage firewalls sold by Juniper Networks contains unauthorized code that surreptitiously decrypts traffic sent through virtual private networks, officials from the company warned Thursday.

November 20, 2015

Permalink

Is there a way to donate directly to the hidden services development team?

If theres one thing the recent terror attacks in paris have shown us, its that the big bad fearsome five eyes are completely impotent to track known terrorists over unencrypted channels much less crack Tor. Hell even the FBI went to a university for help, not the NSA with its multibillion dollar budget and unfettered access to all the worlds communication lines, no, a university whose budget is 1/1000th of that with access to nothing.

Pathetic.

click on donate page , voila !

i enjoy they cannot track down a person ; it is not pathetic : a government ' project is done for obtaining a budget not a success _ every enterprise has this policy.

i hope that this little attack has not damaged / corrupted a server/pc or a cable ... it should have been a nightmare if it had been a magnetic attack : oops general kernel panic for all tor users.

> it should have been a nightmare if it had been a magnetic attack

You mean exploiting stray electromagnetic emanations from operating electronic device? (Countermeasures well outside the ability of the average citizen or small business are sometimes called TEMPEST.)

Is bombing foreign houses from air not a terrorists' action? And who sells you pr about five eyes tracking terrorists they are tracking you and only you... and why do you think paris gov in first place decide to participate in air bombing? Isn't it because some paris politicians have been blackmailed by nsa agents? Someone believes info in dbs selfdestructing the moment he/she became politician...
How much money do you think domestic agencies will get tomorrow for spying on locals? Guess who is getting benifits from this accident.

hmm...now the price of the apartment in paris will decrease like after the 11th at ny.
but who was the target at ny and paris -except this supposed economic trick- ?
it was not hillary (so it happened with her agreement) it is not holland or the mayor of paris (so it happened with their agreement) ...

> Isn't it because some paris politicians have been blackmailed by nsa agents?

Don't know, but USIC agencies such as CIA have for decades used the illegal fruits of NSA targeted surveillance to bribe not just French, German, Pakistani politicians, etc, etc., but also American politicians.

In past decades, US Presidents sometimes decided that using NSA surveillance for political purposes was beyond the pale, but the last President who felt that way may have been Lyndon Johnson. I recall an incident which a occurred a few days before Nixon's electoral victory. NSA brought Johnson intercepts proving that Nixon, with the connivance of the socialite and conservative political operative Anna Chennault (widow of Flying Tigers general Claire Chennault), had been conspiring with the North Vietnamese, a nation with which the US was then in a state of undeclared war, to ensure the defeat of the Democratic candidate. So Johnson had been handed proof that probably could have been used to convict Nixon of treason, a capital crime. Johnson wrote a blistering personal letter to Nixon, but decided it would be improper to disclose the intercepts.

I wish current political leaders understood that good intentions do not justify illegal actions, that one traitorous act (Nixon's) cannot be used to justify another.

Your link does not learn us nothing more we do know yet since a long time : an ( us ) citizen does not exist in the usa and for the usa.
We are a coin, a billet , a market, a network where every hand, word, fingerprint become a link and all these links are the way (your genuine and private life) to make money ; you create your life and they collect the result ... before you if they know how, who, why ...
Their job is the same than the bank do , the reason is they do want LIKE YOU a very good standing without sharing.

*i will add that i should appreciate that you stop trolling with irrelevant arguments mixing false opinion and hateful propaganda. _ REMEMBER NAZI GERMANY ELIMINATING ALL THE NON-CRIMINAL JEWS? _ lol ,

thx.

It's YOU who knows but not millions of dumb internet walkers. And how many anti-troll comments you have writen to pr news agencies which told the same things all the time? Don't try to shut up his mouth nobody will try to shut up yours.

#will you please to allow me a short answer ? it is tor blog.
1)we are agree on one thing ; it is a troll(very funny).
2)cap+jews&nazi are irrelevant.
3)speech freely as tor user does not mean bring trouble with personal attack.
#Don't try to shut up his mouth nobody will try to shut up yours (8 years old).

November 21, 2015

Permalink

I do not truly think that Tor can protect your identity. The companies out there have special browser fingerprinting programs and codes that can still determine your identity. Tor is like a kiddie toy for anonymity. If you really want true privacy, I think you have to really scramble your hardware infrastructure. I think software is just one layer, but hardware is another layer you have to tackle regarding privacy. Some hardware are bugged initially upon purchase so...let your imagination run wild.

Tor do protect your identity and hardware is not buggy ; it is a product and like others products , it is made for the consumers.
One of these one is a group (gov, private enterprise, etc) and the reason why their interest are welcome is that they give more money as consumers ; it is lobbying so the product is more made for their personal interest than for the others consumers.

A new computer is coming (nov 2015) without "hardware bug" (blob,firmware, hidden function ,etc) at 1600 $ _ it is expensive (for the same price i have a big gaming beast).

I do not understand this strange conception of " privacy " ; a true privacy !
(your privacy is real or you have not one , you cannot be at the middle or live with a false, an illusion of a "privacy".,.)

Tor is not a kiddie toy for anonymity ; more there will be users , more you will realize it.

As nice as a fully open source computer is, it does have downsides. As much as I hate to admit it, closed source CPU vendors like Intel provide many security-related instructions which massively improve security. And I don't just mean formal verification, but security-oriented features/instructions. For example, I highly doubt this open source CPU will have any of these following security features (which do provide real and tangible protection against even advanced adversaries):

- MPX: With the help of the compiler, it helps protect from many forms of buffer overflows by checking bounds on various operations.
- SGX: Allows userspace code to allocate memory which cannot even be accessed by the kernel, hiding it in encrypted "enclaves" controlled by the Management Engine.
- AES-NI: Provides side-channel resistant AES crypto in hardware. It even prevents scary and highly effective side-channel attacks like FLUSH+RELOAD and FLUSH+FLUSH from discovering the encryption key.
- RDSEED/RDRAND: High quality non-deterministic random number generator (yes it may be backdoored, but it does not cause any harm if it is, since it is not the only source of entropy).
- SMEP: Prevents the kernel from executing userland code, which is a very common method of system exploitation.
- SMAP: Like SMEP, but prevents any access to userland code when set period. It can be used to create a fully sealed kernel where even one part of the kernel cannot access other parts, like a microkernel.
- NX: Allows a memory page to be set as no-execute, preventing attackers from writing to an NX page to place malicious executable code in it (ROP and other data-only attacks are an exception, but NX is still extremely useful).
- WP: Allows setting pages read-only so even the superuser context (ring 0) cannot write to it.
- TXT: Allows a measured and trusted boot process. If it is backdoored or otherwise vulnerable, then the worst that happens is it is unable to protect you from a tampered boot. Note that TXT can even protect from some forms of hardware tampering.
- TPM: Used in Intel TXT, the TPM is basically a cheap HSM (hardware security module). It comes with its own non-deterministic RNG, and can securely store keys in a tamper-proof environment. It's not great, but better than nothing.
- VT-d (IOMMU): Directed I/O virtualization which, while initially intended for PCI passthroughs in virtual machines, it is also used to protect from malicious DMA attacks caused by compromised hardware (e.g. compromised USB hubs, Firewire, Cardbus, etc). Vanilla Linux calls this DMAR and it can be extended in functionality with VFIO, and it's also used by Xen to protect device drivers.

There are even some which are not intended to be used for security, but can be used to enhance security anyway with the right software, such as grsecurity:

- PCID: Used to enhance the security and performance of PaX UDEREF on x86_64.
- Memory segmentation (i386 only): Used to enhance the security and performance of PaX UDEREF and KERNEXEC on i386.
- RDTSC: High-precision timer, useful both to detect side-channel attacks, and for medium-quality userspace random number generators (e.g. HAVEGE, Dakarand, Jitterentropy, etc). While it is also useful to *perform* side-channel attacks, it can be disabled in ring 3 with the CR4 bit (in Linux, this is done with the PR_SET_TSC flag in the prctl() syscall, or the disable_tsc() instruction from within the kernel).

There are several other security-related ISA extensions which Intel, and AMD to some extent (and to a lesser, ARM) which I have not mentioned because I know little about them, like Protection Keys. Anyway, you get my point.

BTW, there is already an open source CPU out there. The UltraSPARC T1 and T2 (also called OpenSPARC). It is fully open, verilog and all. It is (obviously) of the SPARC architecture, and provides 64 hardware threads and up to 8 cores. However, even it does not have as many security features as modern Intel CPUs.

TL;DR
I'm not trying to say that an open source CPU is a bad idea - it all depends on your threat model. But when it comes to software exploitation, even exploitation by an adversary such as the NSA, it is highly likely that a modern x86 CPU will be more resistant than a custom open source one, at least today.

Your post is very interesting but i disagree with your point of view.
The point is to not be under control or under survey , that you can choose and decide by yourself that you want.
A state sponsored founder or an us company or worse ; something from eu , bring nothing at the customer:user (i am not speaking about a commercial site or gaming or professional of the web).
Intel do not bring nothing, they _ like all the enterprises in the world _ manage their own industry(ies),services,licenses,etc. you are using their products, they look at their benefits without bring you any service for you especially _ they normalize their communication in a world plan on a large scale _ for their contracts with another states, government, enterprises, private services.
An enterprise demands, requires a function, a service ; Intel made it ; it is an us enterprise for the us enterprises on the us territory.
In fact, that you wrote could be right and accepted if we spoke about enterprise or fbi or for a commercial ambition ... but we spoke about 'hardware without bug' as a freedom for an user.
As users we do not need so many features-often unknown and very dangerous for the privacy- we do not need to be more protected or more resistant at an attack _ we do not want to be involved, included in their plan BECAUSE it is our own right,

You really need to work on threat modeling... Yes, it is a kiddie toy if you suspect you are being targeted with advanced physical attacks that will do keystroke logging and such. But if your goal is to avoid being a suspect in the first place, *that's* what Tor is designed for, and what it is so good at. Saying Tor is a kiddie toy is like saying a bulletproof vest is useless if someone gives you a fake bulletproof vest with a bomb in it.

As for your statement about "special browser fingerprinting and codes", sure, some of them have exploits. Browsers are huge beasts with a massive attack surface. But that is not a break in Tor, that is an exploit. You can reduce the chances of that (and browser fingerprinting) by disabling javascript via the security slider. However, if you claim they mass-deploy this "fingerprinting code", you can be easily proven wrong. People would notice if such code was mass-deployed. I already answered you when you made a comment on another unrelated blog post anyway, explaining how such fingerprinting would and wouldn't work.

> Yes, it is a kiddie toy if you suspect you are being targeted with advanced physical attacks that will do keystroke logging and such.

Tor is very far from being a "kiddie toy" when one is being individually targeted by attackers with FVEY capabilities. Snowden-leaked FVEY documents contain much evidence to support this view.

Why? Here is one reason: even advanced attackers often make coding errors which have in some cases revealed their attack to the prospective victims. In particular, NSA's own network and their cyberattack software tends to be a hastily constructed mishmash of jury-rigged tools. And the bigger the adversary entity, the more likely they are to step on their own toes. Alert users can sometimes detect and exploit this, for example by allowing the attacker to spy on what we want them to hear (turning a common GCHQ tactic back upon our enemies), or by introducing honey pots where we can study their tradecraft.

Each attack gives us a potential opportunity to learn about the attacker and to expose their activity, or even to turn their own weapons against them. Remember, one important difference between being attacked with malware and being attacked by a missile is that in the former case, there is the potential to capture a working copy of the weapon, which can then be cheaply copied, modified, etc., and fired back at the would-be attacker. Because even a sophisticated malware can be exposed by a very small mistake (or misunderstanding of the intended victim's network), in some cases even an unsophisticated can capture highly sophisticated malware.

As initiatives like Citizen Labs proliferate, the little guy will enjoy more and more opportunity to exploit even sophisticated attacks to expose the would-be attacker.

November 21, 2015

Permalink

Awesome article! Hopefully the money and people power will be found to develop the network even further. As the outside threats grow bigger everyday, our artillery has to expand as well. Looking forward to 2016!

November 21, 2015

Permalink

I saw an 2013 metric that shows Italy as being the highest - 200 per every 100 thousand internet users - utilizing tor. Hadn't realized Italy was one of the higher.

November 22, 2015

Permalink

Search engine for hidden (web)services is not a good idea. By design every search engine IS a spy tool. It steals documents and collects them in database.
A web publisher should send info to the seach site, not the other way. Just as in the old classic ads days.
Thanx for the non-censored blog without that 'register by your mail' nonsence but why is it not a hidden service? I feel a small inconvenience to leave the onion network. And there are just two lines in tor config file...

November 22, 2015

Permalink

If you had not heard about it yet, but Blackphone 2 has been released! Bitmessage is also a good email client platform!

November 22, 2015

Permalink

> in the past, each onion service would have three guard nodes assigned to it. Since last September, each onion service only uses one guard node—-it exposes itself to fewer relays.

Is there a configuration option somewhere that controls this? I'm worried more availability than having my onion service compromised by a guard node, so I would like the option to use more guard nodes.

November 23, 2015

Permalink

Great. I use HS same as you, to reach my machines from anywhere without anyone noticing. it truly makes administrative restrictions irrelevant and restores the end-to-end character of the internet.

They are also great to communicate invisibly, work kind of like a phone number except that since the network itself is the operator, trust is distributed and the identity is self-authenticating, it puts control where it belongs.

I have commented about this in the past: I still don't think HS are a great choice for web-like content because of uptime tracking and active attacks and the fact that content is then tied to a certain machine, its availability dependent on that machine's working order, connection and performance. even if load-balancing worked, it still wouldn't be a perfect solution.

For static content, also things like git servers, wikis etc, I think the best solution is a decentralized content-addressed data store like what gnunet, freenet, i2p-lafs (?) projects are trying to offer. So this should not be the main trust of HS development. I think servers are a concept that just doesn't fit purposes like publishing material or asynchronous messaging. a standardized distributed datastore should become the norm instead.

Ideally, we should only have to set up or use actual servers where they are logically indispensable.

One thing is on top of my wishlist (not only for HS): add a layer of post-quantum crypto to tor to keep ahead of developments! keep in mind that the more powerful datafascist outfits are known to store certain types of internet traffic they can't decrypt for future attacks.

Agreed on distributed data storage, but only if onion routed in order to conceal the location of the data pieces and the users wanting to read and write them, while being encoded to prevent anyone other than those users from knowing what they are, or even connecting them to other pieces of the complete data assembly. There should be padding in size and delay in transmission, and it should be impossible to know if a data transfer is for reading, writing, archiving for redundancy, or chaff.

November 24, 2015

Permalink

> I do not truly think that Tor can protect your identity. The companies out there have special browser fingerprinting programs and codes that can still determine your identity. Tor is like a kiddie toy for anonymity.

The documents leaked by Snowden are beginning to become a bit dated, but they clearly suggest you are quite wrong about that.

(The hysterical anti-encryption ranting from people like FBI Director Comey might suggest the same, except that these are so counter-factual they might better be read as enticements to people to use Tor so Comey can spy on the privacy advocates he blames for terrorism.)

> I think software is just one layer, but hardware is another layer you have to tackle regarding privacy.

That is very true, and Tor by itself cannot help here. But more and more consumers are becoming privacy-aware, and demanding more secure hardware as well as software tools like Tor Browser and Messenger.

November 24, 2015

Permalink

> If there was a secure and easy to set up onion blogging platform, even without all the bells and whistles, that would be a great step forwards for freedom of speech.

Plus one.

Comment spamming here should provide another incentive for the Tor Project to increase the priority of providing anonymized blogging software which resists malicious comment spamming. It is certainly suspicious that these problems have intensified at the Tor blog immediately after arma disclosed FBI misconduct.

i disagree about spamming ; most of the comments are censured yet by admin and it is not an anonymous blogging software which could decide -twitter is good for kind news/short sentences not for free speech.

November 26, 2015

In reply to by Anonymous (not verified)

Permalink

Yes. If you use Tor you can be arrested for over 9000 years and put in solitary confinement.

In seriousness though, it depends on where you live. As far as I know, Tor is not illegal in any big countries, and is not illegal in any countries where all anonymity services are not already illegal.

Tor is a service. It's a service provided by multiple volunteers in many countries. Just because it is not centralized does not mean it is not a service.

November 27, 2015

In reply to by Anonymous (not verified)

Permalink

"In 2001, the Bush administration authorized -- almost certainly illegally -- the NSA to conduct bulk electronic surveillance on Americans."
So is usa government illegal?

November 26, 2015

Permalink

Great interview with Nick! It would have been nice if he talked about the new human readable DNS feature for hidden services. I do like how he talks about the need for a search engine for hidden services in order for them to become main stream.

Ha -- are you trying to deanonymize the hidden service developer that wrote this? :) We have several of them (and I'm happy to let them have their anonymity here if they want it).

November 27, 2015

Permalink

This may be off topic abit. It is relevant to Tor however. I am pondering the thought of establishing a bridge to help. The one thing that has me hesitant is the leak regarding how the NSA taps into tor's email server that's used to request to run a bridge. Is this completely true?

November 27, 2015

Permalink

My advice & opinion:

Let's have fun and keep learning- but- Never never never ever assume any electronic communication or anything relative to it is actually private or secure. And that's a correct start! LOL

November 27, 2015

Permalink

I want to develop and market things like a portable TEMPEST / RF shield for like 30 euro and a very cool snap-on phone encryption module for any landline or mobile using like 256-bit Twofish and 512-bit ECC for maybe 50 euro and available to any and all at your local market!

November 30, 2015

Permalink

Someone asked:

> Is tor illegal

Someone replied (rhetorically):

>> is nsa terrorism nest?

Spying on someone is inherently a hostile act. Firing missiles into houses and vehicles is a hostile and deadly act. Knowingly targeting children is a hostile, deadly, and barbaric act. Not just an act, but a crime. A war crime. An act calculated to induce terror in a civilian population.

NSA poses a clear and present danger to every individual. NSA considers itself at war with the entire world, including US citizens (and even its own employees).

Recently four former operators with experience in the US "signature drone strike" program came forward to testify to the cruelty of the program, and the devastating effect it has on the psyche and morals of the often young operators who press the buttons and watch the aftermath of the explosions on their video monitors, as they sit on the other side of the world from conflict zones in Syria, Iraq, Pakistan, Afghanistan, and Africa.

https://theintercept.com/2015/11/19/former-drone-operators-say-they-wer…
Former Drone Operators Say They Were “Horrified” By Cruelty of Assassination Program
Murtaza Hussain
19 Nov 2015

> U.S. DRONE OPERATORS are inflicting heavy civilian casualties and have developed an institutional culture callous to the death of children and other innocents, four former operators said at a press briefing today in New York...
>
> The killings, part of the Obama administration’s targeted assassination program, are aiding terrorist recruitment and thus undermining the program’s goal of eliminating such fighters, the veterans added. Drone operators refer to children as “fun-size terrorists” and liken killing them to “cutting the grass before it grows too long,” said one of the operators, Michael Haas, a former senior airman in the Air Force. Haas also described widespread drug and alcohol abuse, further stating that some operators had flown missions while impaired.

We should applaud the quartet for mustering the courage to come forward openly (following the Snowden model), even while condemning the war crimes they helped to commit on behalf the USG.

War crimes must be punished, and we should work tirelessly to seek justice. But we must focus on the leaders who ordered the strikes, not the low level operatives. On the modern Westmorelands rather than the modern Calleys. We must bring to justice people like John Brennan, Keith Alexander, Dick Cheney and two US Presidents. It might take time, but there is no statute of limitations on mass murder.

If more current and former insiders with direct knowledge of these crimes come forward to speak out against this aerial genocide, it will take less time to achieve justice for the murdered and the maimed.

December 01, 2015

Permalink

> are you trying to deanonymize the hidden service developer that wrote this? :) We have several of them

It's wonderful that Tor is "giving HS some love". Another area where it seems that Tor could work wonders is in providing tools which resist stylometry attacks, against which posters currently appear to be defenceless.

I'd love to see Rachel work for Tor rather than DARPA, by providing a tool in TB which is modeled on the gedit spellchecker and which simply suggests substituting more common synonyms for rare words. (The spellchecker already "Americanizes" the spelling of English words, which might provide brits with a bit of extra entropy.)

Things like that should be easy to code. Much harder but even more valuable would be tools which "blandify" sentence structure, grammatical quirks, contractions and other punctuation characteristics, etc.

December 04, 2015

Permalink

Not sure where to ask, but I am new to Tor and I have a question. How is it that after I open the Tor browser and create a new identity and verify that I am going through an exit node that is not american that when I check the exit node again it has some how switched to an american exit node? Hope that makes sense.

Tor changes your path for you automatically every so often, to make sure that you don't build up too much of a profile from the perspective of any particular exit relay. That is, we focus on the anonymity side, rather than the "letting you choose which country you appear to be coming from" side.