Why do articles that talk about Tor always reference Silk Road as being the only notable user of .onion addresses? WikiLeaks used them, and they've been used for endless anti-censorship actions. Even Facebook has one.
Probably because "evil pirates selling drugs and child pornography" generates more page views than "democracy activist not killed by authoritarian government."
For most things like democracy activism, whistleblowing, anti-censorship, exposing human rights abuses, reaching out for help in abusive situations, and so on you generally only need anonymity for one side of the communication. The danger to the party communicating the information is local, not global, and there are usually parties outside the danger area who are openly working on addressing the issue that the person inside needs to communicate anonymously about, and who can serve as recipients of the communication.
For the most part, that kind of communication can be done using tools such as encrypted email using the recipient's public key, leaving encrypted files on a cloud service somewhere, and things like that to communicate to those outside parties.
Where you really need Tor is when you are doing something where there is no one willing to openly handle the other end of things, and that's usually going to mean it is something like Silk Road, kiddie porn, human trafficking, and things like that where it is generally illegal nearly everywhere.
This is why I decided against it when I once considered running a Tor node. All of the noble uses I had in mind, I realized, could be accomplished without too much trouble without it, and so it seemed I would really only be helping people who where doing things I'm not interested in aiding.
I don't think the use case of hidden services are large sites that themselves need to be anonymous. That's really hard anyway because if you're big then you inherently have a lot of traffic, which significantly reduces the number of possible nodes that could be hosting the site to the ones with at least that much traffic going through them.
The use of hidden services for large sites is that they authenticate the site without the person uploading the documents having to trust the CA system. And the person doing the uploading has to use Tor or something like it because otherwise their adversary would just block them from accessing that site or punish them for it, and Tor is better than something like a VPN in that regard because the uploader only has to trust the design of Tor, not an individual operator like a VPN.
I think the real use case for a hidden service where the service itself is anonymous are apps like Ricochet where every user has their own hidden service. So you can have two activists in a repressive country who want to communicate with each other while remaining mutually anonymous and not have to trust some third party in a foreign country who could be cooperating with their oppressors.
> All of the noble uses I had in mind, I realized, could be accomplished without too much trouble without it
"Too much trouble" is a real problem. Security needs to be usable, especially in the sort of context where someone who makes a mistake or doesn't understand the implications can get killed for it. Anonymity by default and then you can tell them who you are if you don't need it is, in that regard, much better than anonymity only if you do specific extra work and if you didn't know that then you're dead.
It's also important for the people who need anonymity that lots of people who don't actually need it use a service that provides it anyway, or use of the service paints a target on you.
> I don't think the use case of hidden services are large sites that themselves need to be anonymous.
Using a hidden service has some serious caveats, using a hidden service is significantly slower than using a clearnet website over tor.
>That's really hard anyway because if you're big then you inherently have a lot of traffic, which significantly reduces the number of possible nodes that could be hosting the site to the ones with at least that much traffic going through them.
Yeah, as you would expect you have to scale up if you get a lot of traffic.
>The use of hidden services for large sites is that they authenticate the site without the person uploading the documents having to trust the CA system. And the person doing the uploading has to use Tor or something like it because otherwise their adversary would just block them from accessing that site or punish them for it, and Tor is better than something like a VPN in that regard because the uploader only has to trust the design of Tor, not an individual operator like a VPN.
As opposed to a PGP public key and a clearnet site?
> Using a hidden service has some serious caveats, using a hidden service is significantly slower than using a clearnet website over tor.
There is now a feature that allows tor services to not use onion routing. The node that would have been the client's exit node just connects directly to the node providing the service, so it's the latency is the same as using a normal website over tor but the website is authenticated using the onion address.
> Yeah, as you would expect you have to scale up if you get a lot of traffic.
You misunderstand. Having too much traffic means you can't be anonymous. If an attacker knows your site pushes 40Gbps of traffic and there is only one node in the network pushing 40Gbps of traffic then a passive observer can trivially figure out who you are. If there are five such nodes then they've still eliminated all but those five nodes as possibilities.
> As opposed to a PGP public key and a clearnet site?
And which is harder to use, PGP or a Tor onion service when you're already using Tor?
How are you going to use "a PGP public key" to access a service like Facebook that is blocked in China? I'm not aware of any web infrastructure (i.e. ports 80/443) that uses "a PGP public key" to secure communications.
I've been considering operating my Murmur server that runs on a local Debian box as a hidden service because I do not want to expose my public IP (mostly for DoS reasons). Let's just say that it is not very easy, and I hope to document my setup once it is to my satisfaction. Hopefully, we can make this process easy enough for my parents; then we can point to more usage by the mainstream thereby saving you from arguing against the usefulness of such software.
>How are you going to use "a PGP public key" to access a service like Facebook that is blocked in China?
I don't recall suggesting that. I personally used my own VPN server to access services like facebook in China.
>I'm not aware of any web infrastructure (i.e. ports 80/443) that uses "a PGP public key" to secure communications.
I've seen a plenty. In fact, I just sent a PGP encrypted email from gmail over https.
>arguing against the usefulness of such software.
Where am I arguing against the usefulness of such software? I use .onions every day and host several, it's just that unless you need to hide your servers IP address you're adding tons of extra latency for some rather questionable benefits.
>>I'm not aware of any web infrastructure (i.e. ports 80/443) that uses "a PGP public key" to secure communications.
>I've seen a plenty. In fact, I just sent a PGP encrypted email from gmail over https.
The web infrastructure (i.e. "gmail over https") was secured by a certificate (X.509) that is similar to, but separate from, a GPG key. As a user, you chose to take the extra step of encrypting your message locally, but that fact does not change the fact that the _web infrastructure_ was not secured by "a PGP public key."
I guess I got confused by your mentioning of "a PGP public key" because it is a very odd way to put it, and seems orthogonal to the discussion here that Tor hidden services are useful to people other than for black-market eCommerce operations.
>I guess I got confused by your mentioning of "a PGP public key" because it is a very odd way to put it, and seems orthogonal to the discussion here that Tor hidden services are useful to people other than for black-market eCommerce operations.
This is what I was responding to
>The use of hidden services for large sites is that they authenticate the site without the person uploading the documents having to trust the CA system. And the person doing the uploading has to use Tor or something like it because otherwise their adversary would just block them from accessing that site or punish them for it, and Tor is better than something like a VPN in that regard because the uploader only has to trust the design of Tor, not an individual operator like a VPN.
It sounds like AnthonyMouse was suggesting that .onions would be a good way of sharing documents with "large sites" in scenarios where it is important for the user (note: not the site) to hide from someone they aren't the biggest friends with.
Problem with this suggestion is that .onions don't really offer any benefits to an user wanting to hide their activities, but in fact hurt them by dramatically slowing down any transfers (This could be a serious issue for time sensitive stuff).
Therefore, instead of offering an .onion version of their site any such organizations and their users would be better served by a web service on the clearnet with an associated PGP public key that the users could use to encrypt any uploads.
That doesn't make them notable hidden services, Facebook is undoubtedly notable but is their hidden service so? I think not.
Facebook has no need to hide their origin servers, so their use of .onions is symbolic at best (besides as a TLS alternative) as any tor users would be better off browsing the clearnet version of the site.
For wikileaks using .onions makes sense for receiving documents, not for displaying the leaked ones.
My understanding is that Facebook runs an onion service (aka hidden service) primarily because it allows them to easily manage their anonymous users separately from other users. "Management" might include separate security logic to identify fraudulent login attempts and avoiding the accidental blockage that occurs sometimes via automated blacklisting of Tor exits. They also get the benefits of a secure name lookup (unlike DNS), and, as you mention, end-to-end encryption that doesn't rely on the Certificate Authority system.
Other "notable" onion services include OnionShare [0], which sets up an onion service to enable simple anonymous file sharing, Ricochet, which is a P2P anonymous chat service that sets up an onion services for each chat participant, and SciHub [2], which provides most academic papers for free. Each of these has been widely reported in the mainstream press.
>My understanding is that Facebook runs an onion service (aka hidden service) primarily because it allows them to easily manage their anonymous users separately from other users. "Management" might include separate security logic to identify fraudulent login attempts and avoiding the accidental blockage that occurs sometimes via automated blacklisting of Tor exits.
I'd be shocked if they didn't have Tor exit tracking already, literally everyone else in the space does.
>They also get the benefits of a secure name lookup (unlike DNS), and, as you mention, end-to-end encryption that doesn't rely on the Certificate Authority system.
The security of the name lookup relies on the crypto, but even without secure name lookups an attacker would still have to break TLS to defeat HSTS.
>Other "notable" onion services include OnionShare [0], which sets up an onion service to enable simple anonymous file sharing, Ricochet, which is a P2P anonymous chat service that sets up an onion services for each chat participant, and SciHub [2], which provides most academic papers for free. Each of these has been widely reported in the mainstream press.
Onionshare and Ricochet aren't widely used, scihub is still accessible over the clearnet.
I'm not sure what you're arguing any more. Your argument started as that only Silk Road was a "notable" onion service, which you appeared to define as having "publicity". Then the argument became the Facebook doesn't really need to run an onion service. Now the argument seems to that there may be some reasonable alternatives to running an onion service for some notable use cases and that few people use the other notable onion services (and I don't see how you can be so sure of that - I and many people I know use them not infrequently).
But I think your original point has been effectively rebutted: there are several notable onion services other than Silk Road, and some of these are quite beneficial.
>Your argument started as that only Silk Road was a "notable" onion service
I never made such an argument, I said the dark net markets are as they're really the only sites receiving large amounts of .onion traffic. (Besides of course botnets)
> which you appeared to define as having "publicity".
We're talking about onionland in the media here, publicity seems like it would be one of the metrics that a journo would use when selecting notable examples of onion sites.
>Then the argument became the Facebook doesn't really need to run an onion service.
This seems to be a case of selective reading. I specifically stated,
>Facebook has no need to hide their origin servers, so their use of .onions is symbolic at best (besides as a TLS alternative) as any tor users would be better off browsing the clearnet version of the site.
I've highlighted the relevant part for you.
Lets say someone even manages to find the facebook onion address, which isn't a particularly easy task since seemingly the only part of their site where it's listed is the blog post mentioning it. For example https://www.facebook.com/help/ is of no use.
Now, lets say someone that's already using facebook over tor finds this address. Do you think they'll switch to it over facebook.com? I didn't, and I seriously doubt very many others did either. All it does is massively increase load times, modern browsers will already have FB certs pinned.
>But I think your original point has been effectively rebutted: there are several notable onion services other than Silk Road, and some of these are quite beneficial.
I'll agree on the other notable onion services, for example AlphaBay is far bigger and better than SR ever was.
> The security of the name lookup relies on the crypto, but even without secure name lookups an attacker would still have to break TLS to defeat HSTS.
Which nobody enables for most websites because it's insane to pin your certificate if you're not Google.
> Onionshare and Ricochet aren't widely used, scihub is still accessible over the clearnet.
"clearnet" doesn't mean anything. Just because you can access it using DNS doesn't mean that the fact it has an onion address is irrelevant. Onion addresses provide several security benefits, and only one of them is "anonymity of the server". As for "not widely used", you appear to have redefined "only notable hidden services". Notable means "important" or "significant". I consider Ricochet to be quite significant.
>Which nobody enables for most websites because it's insane to pin your certificate if you're not Google.
Why?
>"clearnet" doesn't mean anything. Just because you can access it using DNS doesn't mean that the fact it has an onion address is irrelevant.
I think it kind of does when you can just type in "facebook.com" instead of "facebookcorewwwi.onion" and receive a significantly faster browsing experience while not missing out on anything. That's what most users will do. Not only that, the onion is hardly documented (the only mention I could quickly find on facebook.com was in a blogpost!)
> Onion addresses provide several security benefits, and only one of them is "anonymity of the server".
I am well aware, none of which are worth the extra 3 hops.
>As for "not widely used", you appear to have redefined "only notable hidden services". Notable means "important" or "significant". I consider Ricochet to be quite significant.
Ricochet is experimental, unreviewed and nobody should really be using it for sensitive communications at this time.
And why is ricochet particularly significant? It's just glorified torchat, not bitcoin.
This is widely known. What I find more suspicious is the fact that Tor still partly uses obsolete crypto (RSA-1024) that may specifically be open to attacks from governments. This was discussed in 2013 and apparently not fixed ("no time"...). Normally, such a situation would have devs hurrying to fix the issue immediately, as it makes the whole project potentially useless for a particularly important use case (evasion of government censorship/repression).
It does matter where RSA-1024 is being actually used in Tor. As far as I understand, as long as it's not for some long-term keys, it still shouldn't be a problem. Please write if you know more on this subject.
I'm not an expert on Tor code, so I can only speculate and agree partly with you: it matters where it is used. But temporary keys do not necessarily help against an attacker who has access to all/most past Tor traffic. RSA-1024 is used in node identification and hidden services, the weaknesses are known:
Why is this always being brought up? It's transparently communicated on the Tor website and they have a bunch of blog posts explaining how things are and that they'd obviously prefer for it to not be that way.
There are very good reasons why now: Because who doesn't know the context would not understand why Tor people attempt to assure the community "everything's all right" now or even "always was"?
Also worth noting the names that appear there, like "SRI International," "International Broadcasting Bureau" (your tax money at work?) or even "Omidyar Network."
It is very insightful to see so many players there and investigate their background too.
Also worth noting, one of those involved in Tor development who also had access to some NSA files, Jacob Appelbaum, also wrote about what was being logged about the users of privacy tools, Tor included:
