Sadly the anonymity part (at tleast as meant a few years ago) is not true anymore...
Live in a shitty country, want to tweet the truth without your government finding out and treating you like Assange? Just use tor, make a social network account and publish the truth!
And the reality? Every cloudflare based site first gives you a long and hard captcha. Then you try to register an account, and again, one of thoss arkose labs[0] captchas. Then after rotating the 7th image in the right orientation, you finally get your twitter/facebook/instagram/whatever account... you try make a first tweet/..., bam, your account closed, you need to verify with a phone number. You buy a disposable prepaid sim card, risk exposing yourself, and again get banned. A bunch of services even block tor exit nodes directly by IP.
Yeah, sure, you can run a hidden service, and all three users, that know how to use tor and find that address will see your writings, but reaching wide audiences is impossible.
yeah, i know it's just a rant, but it's a pain still
This has been my experience also and people shouldn't have to feel that privacy is only needed if you want to say something with life-threatening implications where people might take more extreme measures.
The excuse given is that Tor is used for abuse but I really doubt that and I doubt banning the exit node IP addresses is the appropriate fix. My opinion is corporations don't want anonymous people using their site and second that blocking Tor is sold by snake oil salesmen for network products.
What's worse is that the few in control of TOR refuse to update their threat model (which is almost 20 years old) and implement solutions for this. I guess their Navy bosses want to keep access for "the good guys inc".
I am unsure what TOR developers can do to with twitter/facebook/instagram. The platforms business model is to collect personal information in order to sell advertisements, and blocking people who they can't identify is a business decision.
Tor could create their own society network but that will do nothing for people who need to reach people on those platforms.
"Yeah, sure, you can run a hidden service, and all three users, that know how to use tor and find that address will see your writings, but reaching wide audiences is impossible."
That's actually exactly what some folks want. To communicate privately with a small network of family/friends/colleagues. Tor does not have to be for everybody. If onion services only appeal to those people who bother to learn how to use them, then that's fine. What's important is that onion services work.
The silver lining of it being impossible to reach wide, i.e., large, audiences with onion services is that this means there is no incentive for advertising and thus no incentive for so-called "tech" companies to act as eavesdropping, centralised intermediaries under the guise of providing "free services".
Some folks might not want Google to snarf their content and try to profit from it in some way, or have Facebook offer them up as a highly specific demographic ad target.
I don't disagree that platforms develop immune systems against various statements.
I just wonder what truths you have been attempting to divulge that are being censored.
I imagine that it's very difficult for a North Korean to discuss things openly on the Internet, and that people in less restrictive authoritarian societies need to be cautious in how they do it to avoid suspicion. Still, Americans like me do learn things about Russia and China that they would rather us not find out and discuss.
I'm not sure you can downvote a tweet, and ratioing a tweet usually increases its reach. The weird thing about Twitter is that for things to disappear they had to actively delete, or the tweeter deletes to avoid embarrassment.
Masterfully done! Attribute things to a poster that he hasn't said, compare censorship to an immune system and then go on to drag Russia and China into the equation.
Another nice thing Tor provides is free NAT busting. If you're behind two layers of NAT and want to expose a service elsewhere, you can use Tor as an alternative for ngrok and other services. It even comes with basic authentication support through public keys, so you can expose any service you want without worrying about someone else finding and accessing it.
I wouldn't call Tor a secure alternative to DNS, though. First of all, DNSSEC is easy to set up on a ___domain or in your DNS resolver settings if you care about such things (even if the underlying protocol is kinda shit), and second of all there's no way to know if hackernewsfjsushfoufbeldufbfof.onion is the real service or if you need to go to hackernewsfkfhfofusnsodifnekdj.onion; you can bookmark one and hope it's the official source, but it's basically TOFU for domains. You could use the special onion ___location header to specify the real onion address, but then you're back to trusting DNS again.
For targets of interest, those .onion addresses found on the ‘clear net’ could be switched to another similar .onion on the fly by whatever security service and just for yours truly. The switcheroo.
I would like to imagine an org could get their SSL certificate issued to both news.ycombinator.com and hackernewsfjsushfoufbeldufbfof.onion (since you can get those now), and you (or your tor client) could show authenticity by showing "this site is also the authority for: news.ycombinator.com".
That will work, but it doesn't work for your standard, cheap, DV certificates. HTTPS over Tor works and is actually done by a few domains. Again, you'll be trusting the clearweb authentication mechanisms (and Tor isn't going to submit the sites you visit for certificate transparency checks) so the advantages quickly go away.
Presumably BBC would DMCA any site on clearnet that ripped their content and pretended to be the official site.
With an onion site on Tor they would not be able to do so easily.
But hopefully if they were running an onion site and not any regular site, they would mention their onion address frequently on their TV channel, and that way many people would know the real address.
Tor lets you share a URL with a ___domain name .onion[0]
That others can connect to securely. So long as you can connect to the tor network you don't need to worry about firewalls.
One criticism is that while onion addresses are secure and have authentication built in (it's kind of like if websites could be connected to by the public key of their SSL certificate) they are hard for humans to compare.
The problem is chicken and egg you have to connect over SSL using DNS to get the onion address if one is advertised.
So the first time you access it you just assume it's trust worthy. "Trust on first use" TOFU.
That's not an issue of Tor. The same thing happens in the clear web, how do you know www.bbc.com is the BBC you trust from the TV?.
That happens to any ___domain, in fact, that happens to any source of information.
How did you start trusting in your current religion or politics?. Chances are that you were convinced by a source(s) that for some reason you previously decided to relied and trust.
We build some kind of web-of-trust in our heads, and it's normal that we do not trust in any .onion address initially. Eventually we import trust from sources outside of Tor that we currently trust (like you did by getting bbc's .onion address from its website), and then we start adding some .onion addresses to our "trusted sources" list
I suppose your criticism is that last step of adding that .onion address to your trusted sources is really painful. It's easy to remember www.bbc.com, but not its .onion address. We eventually need to automate this, something like password managers but for trusted sources
Presumably once Reddit closed /r/darknetmarkets discussion moved to forums or probably Discord.
Back in the late 90s my local car boot sale (like a jumble sale), sometimes sold lists of websites. I never really knew what was on them but it feels a bit like what we're back to now.
One very important thing that TOR provides is additional routes when international routing between ISPs is blocked/broken for whatever reason.
Several websites (that are legal, legitimate in nature) get censored by tier-1 ISPs (for whatever reason) however even though they are clearnet websites, you can still view them out of country, since with TOR you can keep refreshing your routes until you get access.
Good example: I needed to get voter information abroad in order to get a mail-in ballot, but the government website blocked all foreign origin connections.
Personally I think it should be illegal for government websites to even present you with a captcha, especially one from a hostile corporation like Google. But this is a battle I've long since quit fighting...
I recently wanted to check the price of tickets on Ticketmaster. Got an error about me looking like a bot (this was clearnet from a foreign country). Same deal with Tor.
This is why we cannot have nice things. Ticketmaster wants to keep all the scalping on their platform and not anyone else's.
> Note: even though it originally came from an acronym, Tor is not spelled "TOR". Only the first letter is capitalized. In fact, we can usually spot people who haven't read any of our website (and have instead learned everything they know about Tor from news articles) by the fact that they spell it wrong.
While I know that’s the correct answer from the tor project, I still dislike it. It was/IS an acronym. Capitalization I’ve seen used across people familiar and unfamiliar with the tech.
I remember it back in the day as fully capitalized.
Now that the TorProject has opted to correct the record, it is too little too late. Most presentations at the time did use "TOR" and it was called the TOR router. Even they understand the acronym comes from the original onion routing project from the Naval Research Lab.
All that to say, I don't know why they would try to distance themselves from what it was, and what it still is.
Maybe they changed it because it seemed redundant to say "TOR router" (like ATM machine)... :)
Either way I don't mind, but personally I think "Tor" looks more professional, less shouty, and doesn't conflict with "top of rack" router/switch (which is a thing in datacenters). I have noticed that the Tor project is pretty protective of their brand, e.g. if you start a project including "Tor" in its name they will complain and ask you to clarify lack of affiliation.
There is a theory which states that if ever anyone discovers exactly which decade old bug should be fixed in Firefox, it will instantly disappear and be replaced by some obscure web service by Mozilla Foundation. There is another theory which states that this has already happened.
Introducing RunSet™ by Mozilla Foundation: an installation customizer for Mozilla suite of software. Just visit mozilla.org/runset, click on what pieces of software you want, and a custom installer is generated just for you. You can even embed your profile picture to the installer to share it with your friends and family. Fully customizable, fully free.
RunSet™: Install everything everywhere all at once.
How are you following this in practice, especially if every service has its own certificate that it rotates every two months via letsencrypt or similar?
It's not clear to me how you know who asked for the certificate in the log. Do you somehow compile the private keys of all entities that are allowed to request certificates and compare that to the CTL?
Just don't mistake tor onion service addresses for permanent things. The .onions are much less of a priority than the clear web "anonymous" proxy. If onion support gets in the way of clear web proxy security it will be removed. Any particular version of Onion addresses will simply cease to exist and stop working in the tor project's software every 10 years or so; completely wiping out the entire tor ecosystem and all links. It's happened before and it will happen again.
So yeah, .onion services are secure but they're also transient. Don't try to build a community that relies on .onion links continuing to work over years.
Or Tor will release another address system. I remember when the Tor team released their v3 onion address a few years back they killed access to the old v2 sites on the network by not making the new browser versions backwards compatible.
It's not like support for v2 was removed immediately after v3 was released.
v2 and v3 coëxisted for over three years, giving 16 months advance warning of the deprecation, ending in a four month period where support was removed from the server but the client could still connect to it.
Operators had plenty of time to upgrade their services.
Yet, the clear-web DNS entries of major websites haven't changed in 15 years or more.
It's not like you can just google an old Onion bookmark that's gone stale to get the current address.
Address longevity is especially important if you're trying to re-democratize the internet and give everyone equal opportunity to host content, not just a handful of mega corporations. In that ecosystem, it wouldn't be out of the ordinary to have 5+ year old bookmarks laying around that you haven't visited in a while but want to check out again. It's a pre-Google internet.
In reality though, most onion sites don't even stick around for very long anyway. And the URL scheme has nothing to do with it. Most sites are either illegal in nature and so regularly disappear for various reasons(police, exit scams etc), or they're just onion versions of clearnet sites, which means they'll be easy to find the new URL for. Or they just stop working because they cease to be maintained.
Do you have any reason to think they would get rid of v3 any time soon? They should be able to upgrade the encryption (and some, but not all of their authentication) to post quantum without changing the addresses.
v2 were removed because they are insecure. Bad crypto and addresses were discoverable when they shouldn’t need to be (and scanners were always running and discovering them).
I don’t think there’s any reason to suspect v3 will be removed because it’s “in the way” of standard clear-web proxying. If they are removed, it’ll be because there’s an issue and a v4 is needed.
The problem with TOR is CloudFlare and the likes. Many exit nodes are blocked, so you cannot reasonably get to a heap of sites. If I can't get to sites because they're blocked, then I'm not really on the internet.
Not TOR's fault, but it is something holding it back. Sadly.
Agree. Recently, my favorite childhood imageboard (711chan.net) came back online, and I was pleasantly surprised to see they offer the site via Tor, including using the Onion-Location header to make the browser aware of this fact.
Interestingly, they allow Tor users to post. It's an anonymous imageboard with no CAPTCHA, so I'm not sure how they intend to address spam this way.
It's an image board? I've been told that it's a really bad idea to allow image uploads from Tor at all, at least without the requirement of having an account that can be wiped out all at once. I think there was an idea to let Tor users pick from a standard palette of images, but be prevented from uploading their own.
Keep in mind that much of that is a constant struggle between moderating and Zersetzung. If somebody doesnt like free discourse, all they have to do is increase the moderation burden for such sites. Knowing full well, that the more rules you have and try to enforce, the more of an echochamber you become.
Still beats the toxic effects of curating identities in an social media echochamber. Dedicated boards also work as plumbing on chans.
edit: Totalitarians are also not shy about employing Zersetzung. For example, the CREST Research ("Mining the Chans") people are very open about attacking chans through AI generated garbage/extremism content to make them unusable. So chances are high that this is what you are seeing and reacting to.
Doesn't seem worse than Reddit or Facebook to me. Heck, even though it isn't as obvious the amount of negativity on HN about everything Chinese is basically the same racism, just written in ways to avoid getting removed.
Did you visit the site? They have multiple boards on the sidebar that are explicitly dedicated to racism. One of them is just named “[Nig]s”. There’s a picture in the sean one with a 1488 behind pixel black people.
What's the difference between being racist with the intent of offending ("triggering") people vs just being racist?
Isn't most racism done with the intent of making the target uncomfortable or offended (whether that be in small ways or all the way up to straight up murdering people)? Like isn't that the entire point of racism? The KKK wasn't burning crosses to be friendly.
I'm sure most KKK chapters were actually satirical, totally-not-racist, KKK chapters. It was that oddball 1 in a hundred chapter that crossed the line that gave the rest a bad name
Anonymity also makes it really easy to simulate something if you want to imply something about human nature. Thats luckily something that is fixable client side. Just be less gullible.
I think it’s more like that these boards attract a specific type of person, not people in general. People generally don’t like racists because they’re also generally awful people as well. That’s why they’re banned off of most of the internet and the real world.
The way online racists act is very different from general racism irl. It’s a much more hateful form and seems a bit more all over the place. They won’t just hate one ethnic group, they’ll hate everything and everyone that isn’t exactly like them.
Most people are either pleasant or neutral irl. There are no consequences for what you say online so people tend to be their worst on the internet. If people were generally awful, we wouldn't have any form of society anywhere in the world.
Yeah I block tor for account registrations for one of the worlds largest social media apps. It’s nearly all abuse. Though I let tor access if you already have an account.
The Tor developers were eager a few years ago to talk with people who were blocking Tor to see if they could help find alternatives. I realize you've probably thought about this a lot already, but have you ever discussed it with them? Alternatively, do you think you could explain more about the kinds of abuse that are typical when people sign up over Tor?
I realize that might come across as naive, because it's not as though they somehow know more about your abuse problems than you do, and it's also unlikely that they know something obscure about Tor that would turn out to be surprising and important for you. But they're certainly motivated to see if they can help people think of alternatives.
(I'm not actively involved with Tor right now, but I've been pretty close to the project in the past.)
Yes, but this article was very meticulous about only referring to the experience of using onion services. Native Tor. Kind of imagining a ubiquitous onion router over TLS and DNS, which is a bit disingenuous but accurate on the technical front.
40 years ago there were competing protocols to DNS, its just not common to think of it that way anymore.
Yea I mostly use LibreWolf now as Tor is too slow and too many services block it and just use it to read (many news sites have tor addresses now). But another reason to support the project is that a lot of the anti-fingerprinting innovations developed by the Tor project eventually makes their way to more usable browsers. The Tor project gets a large bit of funding to find and patch privacy holes in their Firefox-based browser ― the solutions they come up with can often be implemented in other Firefox browsers.
Cloudflare does not enforce tor blocking. Webmasters who use Cloudflare services, are making a choice to block tor. Cloudflare is just a tool, like iptables.
Perhaps I don't know how it works, but I would just imagine they would be, since Tor seems like it's mostly geared towards increasing availability of internet resources, and that aligns with Cloudfare.
Interesting take. And perhaps correct from a technical and individual viewpoint. E.g. in the sense of reducing technical risk, such as reducing attack vectors (MITM, blindly trusting certificates), avoiding vulnerable protocols (DNS, TLS).
However, the definition of security seems a little narrow. Security is more than just technical personal risk. And the view that TOR increases security does not sit right.
Does TOR increase security for a single individual browsing the internet? Perhaps.
Does TOR increase security in an enterprise system? Perhaps not. The value and need for non-repudiation might be greater than the need for individual session security.
Does TOR increase security in the view of a nation? E.g. national security interests? Quite the opposite. The need for traceability might be vital, even for your individual personal security and safety (counter-terrorism and whatnot).
The blog-title is great. "Tor Is Not Just for Anonymity"! The author points out that security is a wide umbrella term. I agree! To the point that the term must be defined even wider than what is presented. And true to this: I am not stating that traceability, the need for control and non-repudiation increases security one-to-one. What is "secure" is relative.
I believe GP was referring to the NAT-busting abilities of onion services, as well as the ability to get ___domain names you control via a private key. Of course, another solution would be IPv6. If you're referring to private IPv4 addresses, I can't see how that's relevant.
I am really becoming more and more skeptical of the security of Tor as time goes on. If it's no longer safe for buying drugs (or crypto) on the internet https://blog.torproject.org/bad-exit-relays-may-june-2020/ what makes you think it's safe for things intelligence agencies take more seriously?
Tor has received significant funding from the US intelligence community through it's entire existence. If you are US aligned is Tor safe? Advocating for democracy in some war torn dictatorship? Probably. On the other hand if you are doing something that upsets US intelligence how much would you really trust Tor?
It makes sense that Tor would be funded at a level that allows it to defend against the intelligence gathering capabilities of most countries, but not so well funded that it can exceed the intelligence gathering capabilities of the US.
However, just because something makes sense, doesn't mean it is actually true. It is incredibly difficult to determine whether or not this stuff can be effective, even with a detailed use case. At the periphery of society, there is nothing but uncertainty.
This. The three letter agencies has every incentive to host a lot of Tor nodes to catch whom they don't like. Tor CANNOT defense against this, the protocol just can't.
I think this is where most people’s minds would jump when reading the title. When it’s actually about Tor providing security in general, not just anonymity specifically.
It was written in response to someone claiming something like “Tor provides no benefit over TLS unless you want anonymity” and strives to demonstrate it provides non-anonymity security benefits beyond what TLS can do.
It discusses a very specific scenario because that’s what I was arguing about with someone. The title could’ve been better.
set this up one time the it dep was being obtuse about fw rules, and locked us out of ssh, so we couldn't push to gh - amateur hour; add more shadow it
While i do think the threat model of web-pki TLS is different from TOR, with sone of the problems in 1 not present in the other and vice versa, I'm generally unconvinced it is the pancea that this article presents it as.
> DNS hijacking is impossible. DNS is simply not used.
Sure, but now you have a new problem that tor hidden service identifiers are not really human identifiers. This makes attacks where you trick the user into going to the wrong site much easier.
Which is more likely - DNS hijacking + no TLS (or at least no HSTS) or a user being tricked into typing the wrong incomprehensible string of letters. Personally i find the latter to be the more realistic threat to the average user.
> BGP hijacking is impossible. Every interaction a Tor client has with a relay or onion service is authenticated such that you are guaranteed to be interacting with the relay/onion that you intend to be.
I dont understand. BGP attacks in order to do passive monitoring seem just as do-able for TOR, although i guess now you need to do it in two places.
Isn't bgp hijacking (if you can do it arbitrarily, which is unrealistic) basically a global passive adversary - the main thing tor famously doesn't defend against.
> There are zero places a corporate firewall can inject itself to decrypt the traffic. There are zero places and zero parties between the Tor clients that a MITM attack can be performed.
They could be the bridge. They could just spy on the client directly (usually the assumption is the corporate firewall can install stuff on your computer like custom CA certs. If push comes to shove just install spyware directly)
The main benefit tor has against corporate firewalls is it is to obscure for anyone to care.
> Do you assume the CT lookup process is secure? Are the parties you're communicating with misbehaving? Are your lookups in CT logs being logged and associated with you?
Admittedly im not super familiar with CT validation, but i was under the impression that certificates contained the SCT, which is a signature that is validated on the client and that there is no (online) CT lookup . So i dont understand - how can the CT lookup process be insecure or privacy violating if it essentially doesn't exist. All that is happening on the browser is a signature validation - no additional network requests needed.
> Sure, but now you have a new problem that tor hidden service identifiers are not really human identifiers. This makes attacks where you trick the user into going to the wrong site much easier.
Tor promised to address v3 addresses being much less human-readable before deactivating v2, and I look forward to them doing it.
Both the original post and root pastly.net timeout for me. Is this just a funny coincidence? Is the site only accessible via Tor? Has something nefarious happened to the site?
Either way, the original has fortunately been archived:
In order to prevent websites from fingerprinting with network traffic recordings (of single servers and/or exit nodes), there have to be a bunch of more implementations on network-protocol level.
In my opinion, TLS itself is not secure enough to preserve anonymity because of the threat actor (ISP/gov) being able to have recordings of "when and what" is being requested in which Browser Engine on their tracked websites. They tend to scrape websites and have recordings of time differences when which assets of a website is requested, and there's differences between WebKit, Chromium, Edge, Firefox etc. in regards to CSS, HTML, images etc. also in terms of TLS fingerprints and how their TCP/UDP stack behaves.
I wish that Tor would have support for a couple more things that are necessary to really preserve privacy from the god's eye perspective of an ISP:
- Randomization of TLS fingerprint, in the sense that the order of offered ciphers in the handshake, the TCP window size etc is randomized.
- Traffic scattering (e.g. have multiple exit nodes that are selected via a ronin to request the resources from each website)
- Traffic "trailing", which inserts random amount of NULL bytes at the end (with randomized encodings, e.g. chunked encoding, gzip Transfer Encoding, etc)
- Offline cache for both HTTP/S, DNS and WS/WebRTC in the Browser, so that websites continue to work when they've been requested already. A lot of the Browser cache mechanics are useless because webservers are implementing stupid understandings of ETags which won't work with Tor due to them being connection-specific
- Cache headers have to be modified by the Tor proxy, because they can be abused for fingerprinting. ETag and Last-Modified date headers in combination with the Pragma/Cache headers can be used to uniquely re-identify Browser clients on the other end (e.g. by using a fixed datetime in the past for each new client like 1970-01-02 03:04:05).
- User-Agent headers have to be randomized and sticky to Tabs and what the website in those Tabs request, even when they're seemingly foreign domains; but even more so when those domains have a CNAME entry.
In the past I implemented a lot of the mentioned concepts into the Stealth prototype [1] which aimed to solve this by offering a local Proxy which routes/modifies/cleans network traffic and can be used by a webview that points to it (no matter whether it's a mobile or desktop one); but I had to shift focus with my efforts to cyber defense because we Europeans are getting hit by a lot of "Kremlin-loving hacker groups". At some point I wanted to revisit these ideas again, but who knows what the future holds.
Does anything even support ECH yet? It's still in a draft stage and all I see when it comes to normal web servere is low priority feature request issues that have been open for a few years.
I've checked Apache, nginx, and Caddy, but all of them have open issues. Chrome has the feature locked behind a flag and so does Firefox.
When it finally comes out, ECH will be great, but for now it's practically useless.
I'm not sure it'll be great. Right now censors can selectively block offending websites. With ECH they'd just block entire CDNs so large chunks of Internet will become inaccessible.
At this point it's obvious that censorship in the Internet is inevitable. So I'd prefer to reduce blast radius.
> ith ECH they'd just block entire CDNs so large chunks of Internet will become inaccessible
They would've effectively made Internet inaccessible. That has political consequences, and they would have to live with that, or revise their policies around content censorship such as finding a common ground with content providers so there would be no need to block the web site.
They don’t do that. They have a list of URLs to block. HTTPS and HSTS already turns that list into a list of domains, so instead of single article, entire Wikipedia would have been blocked. Encrypting ___domain would turn that list into a list of IP addresses.
I used to think this way, but at this point I think they don't care. Bureaucracy trumps over anything. Court decided to block some URL and internet providers will block everything they have, otherwise they'll be fined for not executing court decision. And nobody cares about economic choices. Law is law and that's about it.
Iran would keep the internet blocked to the level they had during the height of the protests if no one cared about economics. They don’t because it actually costs everyone.
During times of tension (e.g the protests) the cost becomes worth it.
It's a game of tradeoffs, and Tor is losing in the fast transfer speeds and responsiveness department. That's what a typical user cares about the most.
The internet is no longer as peer-to-peer friendly as it once was. Hence the existence of commercially-motivated hacks run by third parties such as hosting, e.g., Cloudflare, etc., including tunneling, e.g., ngrok, etc. Alternatively, Tor relies on third parties but AFAIK it's not so centralised and it's not commercially-motivated.
That is what differentiates it from all the other options. There is no company behind it trying to make money by exploiting internet subscribers trying to connect with each other (not the so-called "tech" company).
Tor can have uses other than the ones normally discussed such as anonymity and evading censorship. Tor can provide reachability without use of commercial eavesdropping third party intermediaries.
For example, one can use Onion Services for advertising open IP:port information that is needed for peer-to-peer connections over other, faster peer-to-peer overlay networks, not the Tor network. The Onion Service can function as the "rendezvous" server for making peer-to-peer connection outside of Tor. Tor's Onion Services can be used to exchange IP:port information for making direct connections over the internet without using Tor. No need to use commercial third parties. Ngrok, Tailscale, etc. all require use of servers run by a commercial third party. Tor does not. There is ample free software that can establish peer-to-peer connections over the internet but in every case it requires some reachable server running this software on the internet, and for most users that means they have to run a server and pay a commercial third party for hosting. Tor has no such requirement.
Imagine being able to share content with family, friends, colleagues without the need for so-called "tech" companies^1 acting as intermediaries ("middlemen"). With a reachable IPv4 address this becomes possible. It would be nice if every home internet access subscriber received a reachable IPv4 address from their ISP. No doubt, some do. But on today's internet most do not. The so-called "tech" companies all have reachable IPv4 addresses. Hence they assume the roles of middlemen and use this position to exploit internet subscribers for profit.
Something like Tor provides a solution. Again, it is not always necessary to route all traffic over Tor. Tor can have other uses. When the goal is simply peer-to-peer connections, Onion Services can be used to bootstrap peer-to-peer overlay connections using the user's choice of software by providing a secure, reliable way to exchange IP:port information. Goal here when using Tor is not anonymity nor censorship evasion, it's reachability. Similarly, goal of peer-to-peer is not necessarily anonymity nor evading censorship either, it's bypassing commercially-motivated, eavesdropping middlemen known as "tech" companies, and avoiding the annoyances of advertising. A possible additional benefot of using Tor in this way is elevated privacy. Google, for example, cannot easily discover Onion Services. No one can discover Onion Services using ICANN DNS.
1. The term "tech" as in "tech company" means a company, usually a website, that collects data from and about people to support the sale of advertising services because advertising services are the only services the company can sell on a scale large enough to sustain a profitable business.
"onion-expose is a utility that allows one to easily create and control temporary Tor onion services.
onion-expose can be used for any sort of TCP traffic, from simple HTTP to Internet radio to Minecraft to SSH servers. It can also be used to expose individual files and allow you to request them from another computer.
Why not just use ngrok?
ngrok is nice. But it requires everything to go through a central authority (a potential security issue), and imposes artificial restrictions, such as a limit of one TCP tunnel per user. It also doesn't allow you to expose files easily (you have to set it up yourself)."
"With onionpipe, that service doesn't need a public IPv4 or IPv6 ingress. You can publish services with a globally-unique persistent onion address, and share access securely and privately to your own allowlist of authorized keys.
You don't need to rely on, and share your personal data with for-profit services (like Tailscale, ZeroTier, etc.) to get to it."
"Finally, onion services are private by default, meaning that users must discover these sites organically, rather than with a search engine." [Small websites with small audiences get buried by advertising-supported search engines anyway.]
Live in a shitty country, want to tweet the truth without your government finding out and treating you like Assange? Just use tor, make a social network account and publish the truth!
And the reality? Every cloudflare based site first gives you a long and hard captcha. Then you try to register an account, and again, one of thoss arkose labs[0] captchas. Then after rotating the 7th image in the right orientation, you finally get your twitter/facebook/instagram/whatever account... you try make a first tweet/..., bam, your account closed, you need to verify with a phone number. You buy a disposable prepaid sim card, risk exposing yourself, and again get banned. A bunch of services even block tor exit nodes directly by IP.
Yeah, sure, you can run a hidden service, and all three users, that know how to use tor and find that address will see your writings, but reaching wide audiences is impossible.
yeah, i know it's just a rant, but it's a pain still
[0] https://old.reddit.com/r/ArkoseLabs/comments/o4ab5r/minecraf...