If you are running an onion service but don't need to hide the server IP, like you do if you also provide clearnet access to the same server, you should enable single hop mode [0] to reduce the load on the Tor network and also speed up the connections. This way your server directly connects the introduction and rendezvous points while the client still stays anonymous with a 3 hop circuit.
For my understanding, usually establishing a connection with a hidden service involves two separate Tor circuits: one circuit for the visitor, but another full circuit for the hidden service.
This “Non Anonymous Mode” effectively omits the second circuit, and allows relays to connect directly to the hidden service’s IP address, thus significantly improving latency and reducing the strain on the Tor network?
I'm using Tor to access my local network services through hidden services. Since I don't need to hide my IP address I'm going to follow your advice gratefully. Didn't know that's possible.
That's sort of like having backdoor access to your internal network (similar to teredo). Others may use it to gain access to that network. If it's your home, that may be OK to you, but if it is an employer, you may want to obtain approval to do that and be sure all of your hidden services use keys or strong passwords for access.
Could you please post a source for this? The only thing i could find is from the man page "However, the fact that a client is accessing a Single Onion rather than a Hidden Service may be statistically distinguishable." but I'm not sure what exactly the impact is from that.
Tor is not anonymous just like VPN's are not anonymous when you have 5eyes oversight of the network. Its like watching trucks navigating around the road network, you can see the junctions they take and you can see where they start and end, but you cant see the contents of the truck.
The Road network and internet have an awful lot in common!
> Using onion services mitigates attacks that can be executed by possibly-malicious “Tor Exit Nodes” — which, though rare, are not nonexistent
Is there any evidence that the majority of exit nodes aren't malicious? There's only 300 or so in the US, 300 or so in Germany, and in other countries even less. What would it take for three letter agencies to compromise most of it?
I mean, suppose all of the existing nodes weren't malicious. Could a government agency plausibly run 1000 exit nodes in a way that doesn't give away they are government-run? This would make the majority of exit nodes malicious.
Effectively they set up a honeypot and used clear text passwords to log in, and plenty of exit nodes picked up on this and those credentials were later used to (attempt to) log in into the honeypot.
the article talks about the research stumbling upon exit nodes performing MITM and other sniffing but does not refer to the exact details. is there a paper for this?
There were slides in the Snowden leaks where it laid out the NSA's strategy for dealing with TOR and compromising exit nodes was a big part of it. They have had the last 10 years to work on it; one might expect they had results.
The behaviour of not always using the same exit means that you, over time, will almost assuredly use a malicious exit should more than zero exist. It's reckless to suggest that anybody should be using this system, your situation is almost always going to be worse than not.
The only attacks an exit alone can do is sniff all traffic and modify the traffic. There are constant checks done by the Torproject to detect bad exits that modify traffic but sniffing is not detectable of course. But both of those attacks are mitigated by https which most sites support nowadays. Firefox and therefore the Tor Browser also has an option to disable http. [0] And using an .onion service removes this attack vector also.
Even if every exit node in the US is operated by private people or organizations, courts can compel the node owners to work with the government and not talk about it.
Courts can't compel you not to talk. They can merely punish you after-the-fact.
So if you're talking about "everyone in a giant group of people" and doing it routinely, existence of those secret subpoenas seem like they'd get leaked eventually. Especially if it's hard to tell which of the 300 people leaked it.
Can you just shutdown your nodes or can they force you to continue? Best practice for relay operators is to just stop the operation altogether if the authorities force you to attack the users.
Because it switches over to the clearnet there, the operator could do stuff like intercept non-https traffic or use a malicious DNS to attempt to MITM https traffic.
It is possible to advertise your .onion address and offer automatic redirect to it for Tor Browser users using the "Onion-Location" HTTP header. Example with my personal home page:
It would be interesting to try to see if the Tor Browser has a TOFU policy and warn its user if the onion address change after they visited the site once.
If it is the case then you combine the ease of access of typing a normal domain name and the Onion security through an HSTS equivalent mechanism.
Is there some sort of attack possible here where you could hand out unique onion addresses to each visitor, so when they connect with Tor you could fingerprint their Tor connection and match it to their cleartext connection? *takes off his black hat*
I think the avoiding exit nodes part is probably the most important to me. Exit nodes have always been problematic - from memory about 20% of relays have an exit flag but most of the traffic is directed to the most performant relays. Tor actively discourages using the network for file sharing because of the exit node bottleneck.
I think there are probably some uses of the Tor network that aren't fully realised yet - file sharing (something similar to I2P) which avoids the exit node using onion addressing and chat applications (like Briar which uses onion addresses, or Secure Scuttlebutt).
As for web traffic, it is nice to offer an onion address. I wonder if websites could offer an "upgrade" to onion addresses, similar to how IPFS does?
I think some comments here are misunderstanding the intent of the
article. For those saying TLS already solves... it is not advocating
Tor as a replacement for transport layer security, indeed most Tor
users also use TLS (and site certs) with little overhead.
No, the article is asking how you could, as a website owner, make
things easier on Tor users and yourself! It starts with the assumption
that you care, and want to help users who require better privacy.
It answers, though not in detail, the many HN readers who invariably
post replies concerning Tor that "All my abuse comes through Tor".
Creating an .onion address mitigates that significantly.
I'm not clear from the article how having an onion address helps website operators who receive abusive traffic through Tor. Perhaps some of that abusive traffic will come in via the onion address instead, but presumably such an operator will want to continue serving their regular site to Tor exit nodes as well, so I don't see how it would actually mitigate anything, nor make the malicious traffic easier to segregate from valid traffic over Tor. What am I missing?
> I'm not clear from the article how having an onion address helps
website operators who receive abusive traffic through Tor.
No, it's not clear. Also "abusive traffic" is vague. Are you mainly
concerned with shitposters, trolls, DOS attacks?
> What am I missing?
Maybe you're not missing it, but essentially it's a behavioural/social
rather than technical challenge. Most abusers, ones that technical
changes can address, operate at scale over HTTP/S and use Tor simply
as a free VPN via regular exit nodes to hide their IP. The author
calls this the "Wheat/chaff problem". Viewed this way, it's easiest
for a site owner to just block all of Tor and kill all legitimate users
too.
Most of those bulk abusers cannot be bothered to deal with marginal
cases like using an overlay network with .onion addresses whereas
those who _need_ Tor are highly motivated.
Other kinds of abusers, like persistent troll posters, are better
dealt with by other means even if you're using HTTP/S.
> The first benefits are authenticity and availability: if you are running Tor Browser and if you click/type in exactly the proper Onion address, you are guaranteed to be connected to what you expect — or not at all.
What? Writing raw onion addresses is like writing raw IPv6 addresses. Nobody can remember then and check them.
> you are guaranteed to be connected to what you expect — or not at all.
Exactly the same guarantees are also achieved by putting your clearnet address on HSTS Preload lists, or by writing https:// in front of the url on the users side.
But then you are relying on the CA system which is a huge risk. A significant benifit of onion addresses is that The key is distributed with the address. So as long as you get the address over a secure channel you are safe.
With https you need to get the address over a secure channel and hope that no CAs are compromised. The secure channel might be easier (because you can quickly memozrize twitter.com) but to avoid the second you need some complicated and not officially supported certificate pinning.
Yeah so in case of Tor, people use DDG which is the default. And DDG, being bad and handling SEO spam worse than Google, often returns wrong onion address. (Which happened to me several times.)
And you cannot really check if it's the correct one.
At least on regular net, you have a chance to spot nytime5 is fake.
It's very easy to think that things we do ourselves are universal because they seem so intuitive and natural for us. I for one type addresses from scratch all the time.
Readit News
[0]: Search for HiddenServiceSingleHopMode on https://2019.www.torproject.org/docs/tor-manual.html.en or just use the following config options
SOCKSPort 0
HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1
This “Non Anonymous Mode” effectively omits the second circuit, and allows relays to connect directly to the hidden service’s IP address, thus significantly improving latency and reducing the strain on the Tor network?
Any timing correlation attack carried on against entry and exit nodes is independent from the number of hops.
The Road network and internet have an awful lot in common!
Is there any evidence that the majority of exit nodes aren't malicious? There's only 300 or so in the US, 300 or so in Germany, and in other countries even less. What would it take for three letter agencies to compromise most of it?
I mean, suppose all of the existing nodes weren't malicious. Could a government agency plausibly run 1000 exit nodes in a way that doesn't give away they are government-run? This would make the majority of exit nodes malicious.
Here’s research conducted years ago about this matter: https://www.vice.com/en/article/mgbdwv/badonion-honeypot-mal...
Effectively they set up a honeypot and used clear text passwords to log in, and plenty of exit nodes picked up on this and those credentials were later used to (attempt to) log in into the honeypot.
http://web.cs.wpi.edu/~claypool/papers/yt-crawler/final.pdf
only found this paper going over systematic process of exposing bad relays - http://www.cs.kau.se/philwint/spoiled_onions/pets2014.pdf
[0]: https://support.mozilla.org/en-US/kb/https-only-prefs
So if you're talking about "everyone in a giant group of people" and doing it routinely, existence of those secret subpoenas seem like they'd get leaked eventually. Especially if it's hard to tell which of the 300 people leaked it.
If it is the case then you combine the ease of access of typing a normal domain name and the Onion security through an HSTS equivalent mechanism.
I think there are probably some uses of the Tor network that aren't fully realised yet - file sharing (something similar to I2P) which avoids the exit node using onion addressing and chat applications (like Briar which uses onion addresses, or Secure Scuttlebutt).
As for web traffic, it is nice to offer an onion address. I wonder if websites could offer an "upgrade" to onion addresses, similar to how IPFS does?
[0]: https://community.torproject.org/onion-services/advanced/oni...
Exit capacity as a significant bottleneck has not been a realistic issue for many years.
No, the article is asking how you could, as a website owner, make things easier on Tor users and yourself! It starts with the assumption that you care, and want to help users who require better privacy.
It answers, though not in detail, the many HN readers who invariably post replies concerning Tor that "All my abuse comes through Tor".
Creating an .onion address mitigates that significantly.
No, it's not clear. Also "abusive traffic" is vague. Are you mainly concerned with shitposters, trolls, DOS attacks?
> What am I missing?
Maybe you're not missing it, but essentially it's a behavioural/social rather than technical challenge. Most abusers, ones that technical changes can address, operate at scale over HTTP/S and use Tor simply as a free VPN via regular exit nodes to hide their IP. The author calls this the "Wheat/chaff problem". Viewed this way, it's easiest for a site owner to just block all of Tor and kill all legitimate users too.
Most of those bulk abusers cannot be bothered to deal with marginal cases like using an overlay network with .onion addresses whereas those who _need_ Tor are highly motivated.
Other kinds of abusers, like persistent troll posters, are better dealt with by other means even if you're using HTTP/S.
From Wikipedia:
> Addresses in the onion TLD are […] automatically generated based on a public key when an onion service is configured.
> 256-bit ed25519 public key along with a version number and a checksum of the key and version number
That's all you need to know.
What? Writing raw onion addresses is like writing raw IPv6 addresses. Nobody can remember then and check them.
What is easier
> https://nytimes.com
or
> ej3kv4ebuugcmuwxctx5ic7zxh73rnxt42soi3tdneu2c2em55thufqd.onion
0: https://community.torproject.org/onion-services/advanced/oni...
Exactly the same guarantees are also achieved by putting your clearnet address on HSTS Preload lists, or by writing https:// in front of the url on the users side.
With https you need to get the address over a secure channel and hope that no CAs are compromised. The secure channel might be easier (because you can quickly memozrize twitter.com) but to avoid the second you need some complicated and not officially supported certificate pinning.
And you cannot really check if it's the correct one.
At least on regular net, you have a chance to spot nytime5 is fake.
It is not possible to squat onion domains for typo errors like you can clearnet addresses.
Similar to bitcoin, one character swapped breaks the hash-checksum, making the address 99.99999999% likely to be invalid.
Actually this is not true. Tor runs as SOCKS5 proxy, and you can use any browser or application with it.