Volunteer Spotlight: Alec Helps Companies Activate Onion Services

by tommy | January 18, 2018

eotk-hello-onion

Tor is a labor of love built by a small group of committed individuals, but we’re lucky to have the support of a dedicated volunteer base who help us make Tor the strongest anonymity tool out there. The volunteer spotlight is a regular feature here on the Tor Blog, and today, we’re highlighting Alec Muffett, who built and maintains the Enterprise Onion Toolkit (EOTK), the easiest way to add an onion address to a traditional website. 

Alec led the team that built Facebook’s onion service back in 2014, and when The New York Times more recently created their own ".onion" website, they used EOTK.

Onion websites are far better than traditional ones at protecting content providers from blocking and censorship, making it hard for a state to disrupt publication or to ban its citizens from accessing a given website. Onion websites are also better at protecting users from incrimination than websites which are hosted on traditional web servers: in addition to the usual protections that Tor provides, .onion websites are guaranteed to only be accessed by people using Tor software, reducing their potential digital footprint and exposure.  "There's no risk of accidentally using Internet Explorer 6," says Alec. 

Alec has worked in security for 30 years, and has long recognized the importance of distributed systems and Tor’s onion routing features: “Enabling two peers to communicate with nobody 'getting between' them was part of the intention of the original internet. Nowadays there's a saying: 'if you want to share a photo with a friend, why do you have to give it to a multi-billion-dollar corporation, first?'; but Tor offers a disintermediation solution for this, and perhaps all similar, problems."

He continues: "I believe that disintermediated communication is an important capability, and so I built the Enterprise Onion Toolkit to assist publishers, writers, and virtual communities to connect directly, securely, efficiently, and without intermediaries, to their audiences and membership.”

We’re so grateful to Alec for building and maintaining such an important tool. With his help, we’re fighting against those who want to make censorship the norm and privacy a thing of the past.

Getting involved with Tor is easy: you can help us make the network faster and more decentralized by running a relay, especially if you live in a part of the world where we don’t have a lot of relays yet. You can read all of our volunteer spotlights here.

Tor is a vital tool for protecting privacy and resisting repressive censorship and surveillance. If you can, please consider making a donation today.

Comments

Please note that the comment area below has been archived.

* that cannot be traced : yes, using p2p or tor.
* protonmail : untrust but an onion email-service provides a privacy-anonymous advantage.
* threat : the reason why they track us is very simple ; the power of the freedom of speech are in our hands and the truth could decrease their revenues.

Email is so aggressively insecure and non-anonymous that most experts seem to agree there is not really any way to make it either secure or anonymous, in the modern environment of

o national and even global (NSA) dragnets
o multiple well-funded intelligence agencies with the ambition of "collecting it all"
o multiple companies offering surveillance-as-service (sophisticated APT malware)
o an entire international "zero-day" industry selling to said companies

I'd suggest that you focus on figuring out how to make the more secure messaging services, perhaps including Tor Messenger, work for you and your friends.

Yes, there is. https://bitmessage.ch . It's not quite a email, it's decentralised, written in memory-safe language, no registration is needed. E-mail is deadly broken - every email, EVERY, demands my mobile phone number. Fuck this shit, we gonna have own email with blackjack and hookers.

Anonymous (not verified) said:

January 18, 2018

Permalink

the top of the page after clicking your NY times onion link says
NoScript filtered a potential cross-site scripting (XSS) attempt from doubleclick.net

dep (not verified) said:

January 19, 2018

Permalink

thank you for this article i understand better your work , you effort but tor is set with sha1 & 1024.
thank you alec , you are building a new network for a safe 'service'-road but the users (2018) need a secure vehicle for driving to : tor runs in clear text.
we are waiting desperately the new version (sha 3 & curve) ...
... one more post censored ...

> Hi, what do you mean by " sha1 & 1024"?

I am guessing they are referring to SHA-1 cryptographic hashes (for data integrity):

https://en.wikipedia.org/wiki/SHA-1

and 1024 bit RSA keys (provide for data privacy and user authentication):

https://en.wikipedia.org/wiki/RSA_(cryptosystem)

These says, security-aware people prefer 2048 or 4096 or even larger keys, although as someone recently mentioned evidence that moderately resourced entities can break 1024 bit keys remains slender:

https://en.wikipedia.org/wiki/RSA_numbers

> Dou you mean that some crypto-stuff is not-secure probably?

I think that is what they were trying to imply. I also think Tor users need to trust Tor developers, who almost certainly know more than we do about the cryptographic issues which arise in Tor design decisions.

> What level is affected? Does it mean that traffic can be dumped and decripted?

Comments in this blog frequently try to dissuade people from using Tor by making sweeping unsubstantiated claims that Tor is "unsafe" or that Tor Project is "colluding" with malign USG agencies such as CIA or NSA. Some such comments might represent genuine expressions of concern, but we do know that multiple governments (including UK, RU) mount disinformation campaigns which seek to prevent Tor userbase from growing. Because such campaigns cost money, this is in itself an indication that Tor works well enough to worry some of the most oppressive governments, the ones most determined to spy on their own citizens or even to try to "Collect it All" (an NSA slogan).

Anonymous (not verified) said:

January 19, 2018

Permalink

Hi.

Recently I've tried to run a bridge relay, but I could not for some reason. Then I logged into OFTC Web IRC #tor channel for some help, but I found some other issues as follows.

1. Error Message: "== ERROR: Anonymous TOR usage is unavailable"
2. My comment was rejected.
3. No other people logged in and helped me at that time.

How can I get your help on this issue?

Thank you for the reply. I just went to https://trac.torproject.org/ but found another issue...Seemingly I was not privileged to create a new ticket on the issue of OFTC Web IRC as the error message was saying:

Error: Forbidden

TICKET_CREATE privileges are required to perform this operation on Ticket #None. You don't have the required permissions.

Would I be able to be privileged to follow up with this issue if I register a new username / password at https://trac.torproject.org/projects/tor/register ?

Anonymous (not verified) said:

January 27, 2018

Permalink

Hi gk,

Thank you for the advice. I don't know what is a "cypherpunks account" at this point, but let me try it in the near future.

Anonymous (not verified) said:

January 27, 2018

Permalink

Thank you gk! I could create some tickets and also could log in as cypherpunks account as explained in the landing page. I will create a new ticket as one of those anonymous users from now on.

Ticket Closed

Thanks to your and other people's help, my new tickets submitted to Trac have already been closed. At the next time I use OFTC Web IRC and find the same issue, I would try changing a Tor circuit to access via a previleged exit node as suggested.

Thank you for the advice. But I have a bad news. Just after I upgraded my Linux OS packages by apt command, my localhost became to be non-bootable for some reason...I will try this challenge after I choose and install a new distribution / edition.

Reply (not verified) said:

January 21, 2018

Permalink

Hi, Did you use "Tor Messenger"? - try to restart it (seems some Tor-exit-nodes are "banned")

Never before. If I can get torproject's help without creating any additional online service account, that would be so helpful...

Anyway, thank you for the reply.

Anonymous (not verified) said:

January 20, 2018

Permalink

Without Alec, we would still be living in the "hidden-services-are-all-criminal" world of fantasies of the fake news media that tarnished the Tor Project's reputation so much!

i would like clarify wrong assumptions :
- "hidden-services-are-all-criminal" is the motto of the fbi team for increasing their motivation.
- fake news media are elaborated by professionals writers who obey at their boss : show business.
- i never read news which have tarnished the Tor Project's reputation , in fact it was all the opposite.
Alec brings a modern dimension and the article explains well his involvement.
thx alec.

A desktop computer?

Right now, in view of the recently disclosed Meltdown family of attacks, a PC with multicore 64 bit CPUs from AMD (rather than Intel) seems preferable.

A laptop? You are probably out of luck there--- most laptops used Intel CPUs.

Looking a few years ahead, you will want to replace your new computer once drastically redesigned chips which are more resistant to Spectre attacks appear. Currently no general fix for Spectre is possible; developers of individual packages must try to insert tricky serialization instructions in just the right place to prevent bad guys from taking advantage of the security flaws inherent in "speculative execution". (Intel chips are more aggressive in how they do that, which is why they are said to be more vulnerable to Meltdown attacks, but essentially all chips in any electronic device save some IoT devices are vulnerable to Spectre attacks.)

Choice of operating system is also important. I think Linux is a no-brainer, and I think Debian is the best choice there. Many prefer Ubuntu, but Ubuntu comes from a company which has often made poor choices in trading off security viz usability (and making money by gathering information on the minute by minute activities of their users--- c.f. the scandal over their desktop search).

For daily activities which involve interaction with the Internet, you should consider using Tails, the "amnesiac" Torified version of Debian. See tails.boum.org for a free download, and make sure to verify the detached signature using GPG before burning. Note you can boot Tails from either a DVD or USB. A r/o DVD offers much better security but a USB or r/w DVD is more convenient.

You will probably want to try to check that your new PC doesn't have bluetooth and other vulnerable services running by default, or that you have disabled these. If your city has installed "smart meters", these may try to connect to your computer via Bluetooth or another easily abused protocol, so watch your back. IOActive often publishes security vulnerabilities in IoT devices (after giving makers a chance to fix the flaws).

If you are concerned about cybersecurity, privacy, or anonymity, you should do everything in your power to keep IoT devices, IP video cameras, etc. out of your living and office spaces. In-home surveillance is rapidly increasing, so that's another worry besides Internet dragnets.

See eff.org "Surveillance Self Defense" site for much more good advice from one of the most trusted US NGOs concerned with privacy and cybersecurity issues. Read EFF's Deeplinks blog and the aclu.org blog for news relevant to surveillance. Read The Intercept, The Register (in the UK), Propublica, Wired, etc. for news relevant to dragnet surveillance and cybersecurity flaws. Read amnesty.org and hrw.org for news about human rights violations around the world.

Last but not least, see EFF's repository of many (not all) published Snowden leaked documents, plus newly leaked documents which are frequently published by The Intercept and publicintelligence.net. These will give you a much better appreciation of the real capabilities of our enemies, and also of the kinds of systemic problems they themselves face and have been unable to resolve.

State-sponsored attackers who target bloggers, journalists, NGOs, and their readers/supporters are scary and dangerous. But The People *can* fight them--- and win!

TorUser (not verified) said:

January 21, 2018

Permalink

I don't where else to post this. CHECK.TORPROJECT.ORG has been unreachable (e.g., directly or ping: 100% packet loss) for several hours so I can't confirm my connection. This happens periodically. Is there a way to report this directly to someone who can hit the "reset" button? THANK YOU.

Tor User (not verified) said:

January 21, 2018

Permalink

PLEASE fix check.torproject.org ! It is not reachable. (Ping = 100% packet loss.) How else can I report when check.... is down?

Anonymous (not verified) said:

January 22, 2018

Permalink

Many thanks to Alec and others for all their work promoting the "onions everywhere" campaign (modeled on EFF's highly successful campaign "https everywhere").

May I suggest a few US news organizations which I think would be receptive to TP volunteering to help them set up an onion offering their content via the Tor network, for extra security?

o thehill.com: non-partisan newspaper covering the US Congress (news and guest editorials from right and left); often read by staffers and lobbyists, one of the few important papers in the US which does not yet even have https.

o motherjones.com, theatlantic.com, truthdig.com, truth-out.org: venerable generally left leaning offering news and editorials; The Atlantic is also widely read by US policymakers.

I'd love to hear Alec's thoughts on the suggestion that a future NYC Tor meetup might brainstorm how to develop into a workable campaign the notion that onions might offer a more secure way for ordinary people to do on-line banking. Since NYC is the financial capital of the US, or even of the world, the geography would appear to be favorable.

More generally, I hope Tor visionaries will develop the general suggestion that the Tor network can be scaled up and expand its purpose to include "better cybersecurity for everyone doing anything on the web", e.g. shopping, banking, reading less easily faked news.

Speaking of geography, I suggest that regions where TP should try hard to provide more resources (e.g. more nodes) include:

o Brazil and other Latin American countries

o Eastern Europe: despite the resurgence of Nazi ideologies, there is a big backlash from younger people who recognize that readopting a very thoroughly and long disproven ideology (Nazism) is political suicide; young people want to see real change.

Looking more than a year ahead, it is very encouraging that more young people in CN are speaking out against the lack of privacy and personal freedoms there. My sense is that they mostly accept the one-party system in CN, just want the CP to be responsive to their desire for greater privacy and freedom of expression. Because Tor and freedom of information is so heavily discouraged by the CN government, promoting Tor in CN no doubt requires extra care, but it is certainly something we should want to try to do.

o Eastern Europe: the world is built by the nationalist since they are able to share, struggle, suffer, work together for the happiness of all.
the fake residents project their hate vs the native one & you call that nazism ...
let's be serious & in what is it related at Tor ?

sks_pem (not verified) said:

January 22, 2018

Permalink

could you explain to us the reason why the sks-keyserver certificate is not included in the TorBrowser ?
should not it be a safe measure for the users (and for the onion-site) when they use onion-service ?
tia

I am not exactly sure what you mean but we don't mess with the default certificates shipped in Firefox. So, my guess is that the certificate is not included in Firefox ESR 52 and as Tor Browser is built on it it won't have it either.

ok (not verified) said:

January 26, 2018

Permalink

and you are right but is the sks_hkps-certificate a danger for privacy_anonymity ? does it unmask the user , does it transmit a 'fingerprint' ?