Sadly the anonymity part (at tleast as meant a few years ago) is not true anymore...
Live in a shitty country, want to tweet the truth without your government finding out and treating you like Assange? Just use tor, make a social network account and publish the truth!
And the reality? Every cloudflare based site first gives you a long and hard captcha. Then you try to register an account, and again, one of thoss arkose labs[0] captchas. Then after rotating the 7th image in the right orientation, you finally get your twitter/facebook/instagram/whatever account... you try make a first tweet/..., bam, your account closed, you need to verify with a phone number. You buy a disposable prepaid sim card, risk exposing yourself, and again get banned. A bunch of services even block tor exit nodes directly by IP.
Yeah, sure, you can run a hidden service, and all three users, that know how to use tor and find that address will see your writings, but reaching wide audiences is impossible.
yeah, i know it's just a rant, but it's a pain still
This has been my experience also and people shouldn't have to feel that privacy is only needed if you want to say something with life-threatening implications where people might take more extreme measures.
The excuse given is that Tor is used for abuse but I really doubt that and I doubt banning the exit node IP addresses is the appropriate fix. My opinion is corporations don't want anonymous people using their site and second that blocking Tor is sold by snake oil salesmen for network products.
What's worse is that the few in control of TOR refuse to update their threat model (which is almost 20 years old) and implement solutions for this. I guess their Navy bosses want to keep access for "the good guys inc".
I am unsure what TOR developers can do to with twitter/facebook/instagram. The platforms business model is to collect personal information in order to sell advertisements, and blocking people who they can't identify is a business decision.
Tor could create their own society network but that will do nothing for people who need to reach people on those platforms.
"Yeah, sure, you can run a hidden service, and all three users, that know how to use tor and find that address will see your writings, but reaching wide audiences is impossible."
That's actually exactly what some folks want. To communicate privately with a small network of family/friends/colleagues. Tor does not have to be for everybody. If onion services only appeal to those people who bother to learn how to use them, then that's fine. What's important is that onion services work.
The silver lining of it being impossible to reach wide, i.e., large, audiences with onion services is that this means there is no incentive for advertising and thus no incentive for so-called "tech" companies to act as eavesdropping, centralised intermediaries under the guise of providing "free services".
Some folks might not want Google to snarf their content and try to profit from it in some way, or have Facebook offer them up as a highly specific demographic ad target.
I don't disagree that platforms develop immune systems against various statements.
I just wonder what truths you have been attempting to divulge that are being censored.
I imagine that it's very difficult for a North Korean to discuss things openly on the Internet, and that people in less restrictive authoritarian societies need to be cautious in how they do it to avoid suspicion. Still, Americans like me do learn things about Russia and China that they would rather us not find out and discuss.
I'm not sure you can downvote a tweet, and ratioing a tweet usually increases its reach. The weird thing about Twitter is that for things to disappear they had to actively delete, or the tweeter deletes to avoid embarrassment.
Another nice thing Tor provides is free NAT busting. If you're behind two layers of NAT and want to expose a service elsewhere, you can use Tor as an alternative for ngrok and other services. It even comes with basic authentication support through public keys, so you can expose any service you want without worrying about someone else finding and accessing it.
I wouldn't call Tor a secure alternative to DNS, though. First of all, DNSSEC is easy to set up on a domain or in your DNS resolver settings if you care about such things (even if the underlying protocol is kinda shit), and second of all there's no way to know if hackernewsfjsushfoufbeldufbfof.onion is the real service or if you need to go to hackernewsfkfhfofusnsodifnekdj.onion; you can bookmark one and hope it's the official source, but it's basically TOFU for domains. You could use the special onion location header to specify the real onion address, but then you're back to trusting DNS again.
For targets of interest, those .onion addresses found on the ‘clear net’ could be switched to another similar .onion on the fly by whatever security service and just for yours truly. The switcheroo.
I would like to imagine an org could get their SSL certificate issued to both news.ycombinator.com and hackernewsfjsushfoufbeldufbfof.onion (since you can get those now), and you (or your tor client) could show authenticity by showing "this site is also the authority for: news.ycombinator.com".
That will work, but it doesn't work for your standard, cheap, DV certificates. HTTPS over Tor works and is actually done by a few domains. Again, you'll be trusting the clearweb authentication mechanisms (and Tor isn't going to submit the sites you visit for certificate transparency checks) so the advantages quickly go away.
Presumably BBC would DMCA any site on clearnet that ripped their content and pretended to be the official site.
With an onion site on Tor they would not be able to do so easily.
But hopefully if they were running an onion site and not any regular site, they would mention their onion address frequently on their TV channel, and that way many people would know the real address.
Tor lets you share a URL with a domain name .onion[0]
That others can connect to securely. So long as you can connect to the tor network you don't need to worry about firewalls.
One criticism is that while onion addresses are secure and have authentication built in (it's kind of like if websites could be connected to by the public key of their SSL certificate) they are hard for humans to compare.
The problem is chicken and egg you have to connect over SSL using DNS to get the onion address if one is advertised.
So the first time you access it you just assume it's trust worthy. "Trust on first use" TOFU.
One very important thing that TOR provides is additional routes when international routing between ISPs is blocked/broken for whatever reason.
Several websites (that are legal, legitimate in nature) get censored by tier-1 ISPs (for whatever reason) however even though they are clearnet websites, you can still view them out of country, since with TOR you can keep refreshing your routes until you get access.
Good example: I needed to get voter information abroad in order to get a mail-in ballot, but the government website blocked all foreign origin connections.
> Note: even though it originally came from an acronym, Tor is not spelled "TOR". Only the first letter is capitalized. In fact, we can usually spot people who haven't read any of our website (and have instead learned everything they know about Tor from news articles) by the fact that they spell it wrong.
While I know that’s the correct answer from the tor project, I still dislike it. It was/IS an acronym. Capitalization I’ve seen used across people familiar and unfamiliar with the tech.
I remember it back in the day as fully capitalized.
Now that the TorProject has opted to correct the record, it is too little too late. Most presentations at the time did use "TOR" and it was called the TOR router. Even they understand the acronym comes from the original onion routing project from the Naval Research Lab.
All that to say, I don't know why they would try to distance themselves from what it was, and what it still is.
Just don't mistake tor onion service addresses for permanent things. The .onions are much less of a priority than the clear web "anonymous" proxy. If onion support gets in the way of clear web proxy security it will be removed. Any particular version of Onion addresses will simply cease to exist and stop working in the tor project's software every 10 years or so; completely wiping out the entire tor ecosystem and all links. It's happened before and it will happen again.
So yeah, .onion services are secure but they're also transient. Don't try to build a community that relies on .onion links continuing to work over years.
Or Tor will release another address system. I remember when the Tor team released their v3 onion address a few years back they killed access to the old v2 sites on the network by not making the new browser versions backwards compatible.
It's not like support for v2 was removed immediately after v3 was released.
v2 and v3 coëxisted for over three years, giving 16 months advance warning of the deprecation, ending in a four month period where support was removed from the server but the client could still connect to it.
Operators had plenty of time to upgrade their services.
Do you have any reason to think they would get rid of v3 any time soon? They should be able to upgrade the encryption (and some, but not all of their authentication) to post quantum without changing the addresses.
v2 were removed because they are insecure. Bad crypto and addresses were discoverable when they shouldn’t need to be (and scanners were always running and discovering them).
I don’t think there’s any reason to suspect v3 will be removed because it’s “in the way” of standard clear-web proxying. If they are removed, it’ll be because there’s an issue and a v4 is needed.
The problem with TOR is CloudFlare and the likes. Many exit nodes are blocked, so you cannot reasonably get to a heap of sites. If I can't get to sites because they're blocked, then I'm not really on the internet.
Not TOR's fault, but it is something holding it back. Sadly.
Agree. Recently, my favorite childhood imageboard (711chan.net) came back online, and I was pleasantly surprised to see they offer the site via Tor, including using the Onion-Location header to make the browser aware of this fact.
Interestingly, they allow Tor users to post. It's an anonymous imageboard with no CAPTCHA, so I'm not sure how they intend to address spam this way.
Yeah I block tor for account registrations for one of the worlds largest social media apps. It’s nearly all abuse. Though I let tor access if you already have an account.
The Tor developers were eager a few years ago to talk with people who were blocking Tor to see if they could help find alternatives. I realize you've probably thought about this a lot already, but have you ever discussed it with them? Alternatively, do you think you could explain more about the kinds of abuse that are typical when people sign up over Tor?
I realize that might come across as naive, because it's not as though they somehow know more about your abuse problems than you do, and it's also unlikely that they know something obscure about Tor that would turn out to be surprising and important for you. But they're certainly motivated to see if they can help people think of alternatives.
(I'm not actively involved with Tor right now, but I've been pretty close to the project in the past.)
Yes, but this article was very meticulous about only referring to the experience of using onion services. Native Tor. Kind of imagining a ubiquitous onion router over TLS and DNS, which is a bit disingenuous but accurate on the technical front.
40 years ago there were competing protocols to DNS, its just not common to think of it that way anymore.
Yea I mostly use LibreWolf now as Tor is too slow and too many services block it and just use it to read (many news sites have tor addresses now). But another reason to support the project is that a lot of the anti-fingerprinting innovations developed by the Tor project eventually makes their way to more usable browsers. The Tor project gets a large bit of funding to find and patch privacy holes in their Firefox-based browser ― the solutions they come up with can often be implemented in other Firefox browsers.
Cloudflare does not enforce tor blocking. Webmasters who use Cloudflare services, are making a choice to block tor. Cloudflare is just a tool, like iptables.
Perhaps I don't know how it works, but I would just imagine they would be, since Tor seems like it's mostly geared towards increasing availability of internet resources, and that aligns with Cloudfare.
Interesting take. And perhaps correct from a technical and individual viewpoint. E.g. in the sense of reducing technical risk, such as reducing attack vectors (MITM, blindly trusting certificates), avoiding vulnerable protocols (DNS, TLS).
However, the definition of security seems a little narrow. Security is more than just technical personal risk. And the view that TOR increases security does not sit right.
Does TOR increase security for a single individual browsing the internet? Perhaps.
Does TOR increase security in an enterprise system? Perhaps not. The value and need for non-repudiation might be greater than the need for individual session security.
Does TOR increase security in the view of a nation? E.g. national security interests? Quite the opposite. The need for traceability might be vital, even for your individual personal security and safety (counter-terrorism and whatnot).
The blog-title is great. "Tor Is Not Just for Anonymity"! The author points out that security is a wide umbrella term. I agree! To the point that the term must be defined even wider than what is presented. And true to this: I am not stating that traceability, the need for control and non-repudiation increases security one-to-one. What is "secure" is relative.
I believe GP was referring to the NAT-busting abilities of onion services, as well as the ability to get domain names you control via a private key. Of course, another solution would be IPv6. If you're referring to private IPv4 addresses, I can't see how that's relevant.
Readit News
Live in a shitty country, want to tweet the truth without your government finding out and treating you like Assange? Just use tor, make a social network account and publish the truth!
And the reality? Every cloudflare based site first gives you a long and hard captcha. Then you try to register an account, and again, one of thoss arkose labs[0] captchas. Then after rotating the 7th image in the right orientation, you finally get your twitter/facebook/instagram/whatever account... you try make a first tweet/..., bam, your account closed, you need to verify with a phone number. You buy a disposable prepaid sim card, risk exposing yourself, and again get banned. A bunch of services even block tor exit nodes directly by IP.
Yeah, sure, you can run a hidden service, and all three users, that know how to use tor and find that address will see your writings, but reaching wide audiences is impossible.
yeah, i know it's just a rant, but it's a pain still
[0] https://old.reddit.com/r/ArkoseLabs/comments/o4ab5r/minecraf...
The excuse given is that Tor is used for abuse but I really doubt that and I doubt banning the exit node IP addresses is the appropriate fix. My opinion is corporations don't want anonymous people using their site and second that blocking Tor is sold by snake oil salesmen for network products.
https://bisonrelay.org/
Some articles explaining a bit how and why:
https://blog.decred.org/2022/12/09/Trapped-in-the-Web/
https://blog.decred.org/2022/12/14/Bison-Relay-The-Sovereign...
Tor could create their own society network but that will do nothing for people who need to reach people on those platforms.
Also there isn't really good technical solutions.
That's actually exactly what some folks want. To communicate privately with a small network of family/friends/colleagues. Tor does not have to be for everybody. If onion services only appeal to those people who bother to learn how to use them, then that's fine. What's important is that onion services work.
The silver lining of it being impossible to reach wide, i.e., large, audiences with onion services is that this means there is no incentive for advertising and thus no incentive for so-called "tech" companies to act as eavesdropping, centralised intermediaries under the guise of providing "free services".
Some folks might not want Google to snarf their content and try to profit from it in some way, or have Facebook offer them up as a highly specific demographic ad target.
It is very hard for an individual to get out the truth against large groups and a preconditioned public opinion.
I just wonder what truths you have been attempting to divulge that are being censored.
I imagine that it's very difficult for a North Korean to discuss things openly on the Internet, and that people in less restrictive authoritarian societies need to be cautious in how they do it to avoid suspicion. Still, Americans like me do learn things about Russia and China that they would rather us not find out and discuss.
I'm not sure you can downvote a tweet, and ratioing a tweet usually increases its reach. The weird thing about Twitter is that for things to disappear they had to actively delete, or the tweeter deletes to avoid embarrassment.
I wouldn't call Tor a secure alternative to DNS, though. First of all, DNSSEC is easy to set up on a domain or in your DNS resolver settings if you care about such things (even if the underlying protocol is kinda shit), and second of all there's no way to know if hackernewsfjsushfoufbeldufbfof.onion is the real service or if you need to go to hackernewsfkfhfofusnsodifnekdj.onion; you can bookmark one and hope it's the official source, but it's basically TOFU for domains. You could use the special onion location header to specify the real onion address, but then you're back to trusting DNS again.
The most reliable solution is to type the business name into Google if you remember to skip the scam ads. Google doesn't track Tor, though.
With an onion site on Tor they would not be able to do so easily.
But hopefully if they were running an onion site and not any regular site, they would mention their onion address frequently on their TV channel, and that way many people would know the real address.
That others can connect to securely. So long as you can connect to the tor network you don't need to worry about firewalls.
One criticism is that while onion addresses are secure and have authentication built in (it's kind of like if websites could be connected to by the public key of their SSL certificate) they are hard for humans to compare.
The problem is chicken and egg you have to connect over SSL using DNS to get the onion address if one is advertised.
So the first time you access it you just assume it's trust worthy. "Trust on first use" TOFU.
[0] the BBC for example advertises it's address https://www.bbcweb3hytmzhn5d532owbu6oqadra5z3ar726vq5kgwwn6a... here https://www.bbc.com/news/technology-50150981.amp but getting it requires accessing the regular website first.
That should get you to a point where you can at least ask for a particular clarification.
Several websites (that are legal, legitimate in nature) get censored by tier-1 ISPs (for whatever reason) however even though they are clearnet websites, you can still view them out of country, since with TOR you can keep refreshing your routes until you get access.
Maybe since it was official government affairs, any US ip address had to be let through no matter what.
> Note: even though it originally came from an acronym, Tor is not spelled "TOR". Only the first letter is capitalized. In fact, we can usually spot people who haven't read any of our website (and have instead learned everything they know about Tor from news articles) by the fact that they spell it wrong.
[0] https://support.torproject.org/about/why-is-it-called-tor/
Now that the TorProject has opted to correct the record, it is too little too late. Most presentations at the time did use "TOR" and it was called the TOR router. Even they understand the acronym comes from the original onion routing project from the Naval Research Lab.
All that to say, I don't know why they would try to distance themselves from what it was, and what it still is.
[0] https://communitydocs.accessnow.org/147-Tor_force_exit_nodes...
Kinda messed up devices come preloaded with unchangeable trusted CAs
Guy knows his stuff, also works for dod.
Don't we have transparency logs to check that now?
So yeah, .onion services are secure but they're also transient. Don't try to build a community that relies on .onion links continuing to work over years.
v2 and v3 coëxisted for over three years, giving 16 months advance warning of the deprecation, ending in a four month period where support was removed from the server but the client could still connect to it.
Operators had plenty of time to upgrade their services.
I don’t think there’s any reason to suspect v3 will be removed because it’s “in the way” of standard clear-web proxying. If they are removed, it’ll be because there’s an issue and a v4 is needed.
Not TOR's fault, but it is something holding it back. Sadly.
Interestingly, they allow Tor users to post. It's an anonymous imageboard with no CAPTCHA, so I'm not sure how they intend to address spam this way.
I realize that might come across as naive, because it's not as though they somehow know more about your abuse problems than you do, and it's also unlikely that they know something obscure about Tor that would turn out to be surprising and important for you. But they're certainly motivated to see if they can help people think of alternatives.
(I'm not actively involved with Tor right now, but I've been pretty close to the project in the past.)
40 years ago there were competing protocols to DNS, its just not common to think of it that way anymore.
Deleted Comment
Perhaps I don't know how it works, but I would just imagine they would be, since Tor seems like it's mostly geared towards increasing availability of internet resources, and that aligns with Cloudfare.
However, the definition of security seems a little narrow. Security is more than just technical personal risk. And the view that TOR increases security does not sit right.
Does TOR increase security for a single individual browsing the internet? Perhaps.
Does TOR increase security in an enterprise system? Perhaps not. The value and need for non-repudiation might be greater than the need for individual session security.
Does TOR increase security in the view of a nation? E.g. national security interests? Quite the opposite. The need for traceability might be vital, even for your individual personal security and safety (counter-terrorism and whatnot).
The blog-title is great. "Tor Is Not Just for Anonymity"! The author points out that security is a wide umbrella term. I agree! To the point that the term must be defined even wider than what is presented. And true to this: I am not stating that traceability, the need for control and non-repudiation increases security one-to-one. What is "secure" is relative.
Tor is not just for anonymity. It's also for reachability.