If you are running an onion service but don't need to hide the server IP, like you do if you also provide clearnet access to the same server, you should enable single hop mode [0] to reduce the load on the Tor network and also speed up the connections. This way your server directly connects the introduction and rendezvous points while the client still stays anonymous with a 3 hop circuit.
For my understanding, usually establishing a connection with a hidden service involves two separate Tor circuits: one circuit for the visitor, but another full circuit for the hidden service.
This “Non Anonymous Mode” effectively omits the second circuit, and allows relays to connect directly to the hidden service’s IP address, thus significantly improving latency and reducing the strain on the Tor network?
I'm using Tor to access my local network services through hidden services. Since I don't need to hide my IP address I'm going to follow your advice gratefully. Didn't know that's possible.
Tor is not anonymous just like VPN's are not anonymous when you have 5eyes oversight of the network. Its like watching trucks navigating around the road network, you can see the junctions they take and you can see where they start and end, but you cant see the contents of the truck.
The Road network and internet have an awful lot in common!
> Using onion services mitigates attacks that can be executed by possibly-malicious “Tor Exit Nodes” — which, though rare, are not nonexistent
Is there any evidence that the majority of exit nodes aren't malicious? There's only 300 or so in the US, 300 or so in Germany, and in other countries even less. What would it take for three letter agencies to compromise most of it?
I mean, suppose all of the existing nodes weren't malicious. Could a government agency plausibly run 1000 exit nodes in a way that doesn't give away they are government-run? This would make the majority of exit nodes malicious.
Effectively they set up a honeypot and used clear text passwords to log in, and plenty of exit nodes picked up on this and those credentials were later used to (attempt to) log in into the honeypot.
There were slides in the Snowden leaks where it laid out the NSA's strategy for dealing with TOR and compromising exit nodes was a big part of it. They have had the last 10 years to work on it; one might expect they had results.
The behaviour of not always using the same exit means that you, over time, will almost assuredly use a malicious exit should more than zero exist. It's reckless to suggest that anybody should be using this system, your situation is almost always going to be worse than not.
Even if every exit node in the US is operated by private people or organizations, courts can compel the node owners to work with the government and not talk about it.
It is possible to advertise your .onion address and offer automatic redirect to it for Tor Browser users using the "Onion-Location" HTTP header. Example with my personal home page:
It would be interesting to try to see if the Tor Browser has a TOFU policy and warn its user if the onion address change after they visited the site once.
If it is the case then you combine the ease of access of typing a normal domain name and the Onion security through an HSTS equivalent mechanism.
Is there some sort of attack possible here where you could hand out unique onion addresses to each visitor, so when they connect with Tor you could fingerprint their Tor connection and match it to their cleartext connection? *takes off his black hat*
I think the avoiding exit nodes part is probably the most important to me. Exit nodes have always been problematic - from memory about 20% of relays have an exit flag but most of the traffic is directed to the most performant relays. Tor actively discourages using the network for file sharing because of the exit node bottleneck.
I think there are probably some uses of the Tor network that aren't fully realised yet - file sharing (something similar to I2P) which avoids the exit node using onion addressing and chat applications (like Briar which uses onion addresses, or Secure Scuttlebutt).
As for web traffic, it is nice to offer an onion address. I wonder if websites could offer an "upgrade" to onion addresses, similar to how IPFS does?
I think some comments here are misunderstanding the intent of the
article. For those saying TLS already solves... it is not advocating
Tor as a replacement for transport layer security, indeed most Tor
users also use TLS (and site certs) with little overhead.
No, the article is asking how you could, as a website owner, make
things easier on Tor users and yourself! It starts with the assumption
that you care, and want to help users who require better privacy.
It answers, though not in detail, the many HN readers who invariably
post replies concerning Tor that "All my abuse comes through Tor".
Creating an .onion address mitigates that significantly.
I'm not clear from the article how having an onion address helps website operators who receive abusive traffic through Tor. Perhaps some of that abusive traffic will come in via the onion address instead, but presumably such an operator will want to continue serving their regular site to Tor exit nodes as well, so I don't see how it would actually mitigate anything, nor make the malicious traffic easier to segregate from valid traffic over Tor. What am I missing?
> The first benefits are authenticity and availability: if you are running Tor Browser and if you click/type in exactly the proper Onion address, you are guaranteed to be connected to what you expect — or not at all.
What? Writing raw onion addresses is like writing raw IPv6 addresses. Nobody can remember then and check them.
> you are guaranteed to be connected to what you expect — or not at all.
Exactly the same guarantees are also achieved by putting your clearnet address on HSTS Preload lists, or by writing https:// in front of the url on the users side.
I think the only legit reason (assuming your clearnet site is using HSTS) is that .onion site reduces the risks of users screwing up. And i suppose better performance if you don't have to use exit bandwidth (i would guess, dont actually know)
Users are bad at security. If they fail to set up tor, .onion links don't work, so it acts as a barrier against users shooting themselves in the foot.
> This is counterbalanced by higher phishing risks
I would argue that this is the much bigger footgun for users. Just look at how much money darknet users are losing to the big industry of .onion phishing pages.
> https://hstspreload.org/ offers the same benefits. You are guaranteed to be connected to what you expect - or not at all.
TLS/HSTS is still subject to CA attacks, e.g. diginotar.
CA/X.509 is a complex stack too.
> TLS mitigates attacks that can be executed by malicious exit nodes (or WiFi networks, or ISPs), that is the whole purpose of TLS.
A malicious exit node could refuse to serve some websites. This seems a minor risk though.
Reducing load on exit nodes is a technical benefit that's in that blog post.
Another benefit to using Tor onion services for large sites is that the Tor circuit ID can be used as an additional key in an IP rate limit cache. This helps block Tor bots (on the basis that establishing a Tor circuit is expensive).
Most of the technical points listed here are pretty much entirely mitigated by TLS. Exit nodes can of course deny access to specific sites, but hidden services suffer from comparable (or worse) issues.
There are no other practical attacks that malicious exit nodes could execute against sites using TLS and HSTS preload lists. If you’re a website administrator, fixing those things should be your priority before implementing onion addresses.
Onion addresses also come with slight drawbacks. They’re difficult for users and more vulnerable to phishing. Hidden services are also extremely vulnerable to CPU-based DoS attacks.
It's much harder to deanonymize people who are connecting to hidden services because they don't have to use exit relays which are often illegal to run.
[+] [-] bauruine|4 years ago|reply
[0]: Search for HiddenServiceSingleHopMode on https://2019.www.torproject.org/docs/tor-manual.html.en or just use the following config options
SOCKSPort 0
HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1
[+] [-] stingraycharles|4 years ago|reply
This “Non Anonymous Mode” effectively omits the second circuit, and allows relays to connect directly to the hidden service’s IP address, thus significantly improving latency and reducing the strain on the Tor network?
[+] [-] ycuser2|4 years ago|reply
[+] [-] danuker|4 years ago|reply
[+] [-] Terry_Roll|4 years ago|reply
The Road network and internet have an awful lot in common!
[+] [-] brnt|4 years ago|reply
[+] [-] nextaccountic|4 years ago|reply
Is there any evidence that the majority of exit nodes aren't malicious? There's only 300 or so in the US, 300 or so in Germany, and in other countries even less. What would it take for three letter agencies to compromise most of it?
I mean, suppose all of the existing nodes weren't malicious. Could a government agency plausibly run 1000 exit nodes in a way that doesn't give away they are government-run? This would make the majority of exit nodes malicious.
[+] [-] stingraycharles|4 years ago|reply
Here’s research conducted years ago about this matter: https://www.vice.com/en/article/mgbdwv/badonion-honeypot-mal...
Effectively they set up a honeypot and used clear text passwords to log in, and plenty of exit nodes picked up on this and those credentials were later used to (attempt to) log in into the honeypot.
[+] [-] Stevvo|4 years ago|reply
[+] [-] RL_Quine|4 years ago|reply
[+] [-] heavyset_go|4 years ago|reply
[+] [-] idontwantthis|4 years ago|reply
[+] [-] bawolff|4 years ago|reply
[+] [-] p4bl0|4 years ago|reply
If it is the case then you combine the ease of access of typing a normal domain name and the Onion security through an HSTS equivalent mechanism.
[+] [-] kingcharles|4 years ago|reply
[+] [-] linuxandrew|4 years ago|reply
I think there are probably some uses of the Tor network that aren't fully realised yet - file sharing (something similar to I2P) which avoids the exit node using onion addressing and chat applications (like Briar which uses onion addresses, or Secure Scuttlebutt).
As for web traffic, it is nice to offer an onion address. I wonder if websites could offer an "upgrade" to onion addresses, similar to how IPFS does?
[+] [-] bauruine|4 years ago|reply
[0]: https://community.torproject.org/onion-services/advanced/oni...
[+] [-] Asan1|4 years ago|reply
Exit capacity as a significant bottleneck has not been a realistic issue for many years.
[+] [-] nonrandomstring|4 years ago|reply
No, the article is asking how you could, as a website owner, make things easier on Tor users and yourself! It starts with the assumption that you care, and want to help users who require better privacy.
It answers, though not in detail, the many HN readers who invariably post replies concerning Tor that "All my abuse comes through Tor".
Creating an .onion address mitigates that significantly.
[+] [-] tempestn|4 years ago|reply
[+] [-] noname120|4 years ago|reply
From Wikipedia:
> Addresses in the onion TLD are […] automatically generated based on a public key when an onion service is configured.
> 256-bit ed25519 public key along with a version number and a checksum of the key and version number
That's all you need to know.
[+] [-] shp0ngle|4 years ago|reply
What? Writing raw onion addresses is like writing raw IPv6 addresses. Nobody can remember then and check them.
What is easier
> https://nytimes.com
or
> ej3kv4ebuugcmuwxctx5ic7zxh73rnxt42soi3tdneu2c2em55thufqd.onion
[+] [-] nsotelo|4 years ago|reply
0: https://community.torproject.org/onion-services/advanced/oni...
[+] [-] rosndo|4 years ago|reply
Exactly the same guarantees are also achieved by putting your clearnet address on HSTS Preload lists, or by writing https:// in front of the url on the users side.
[+] [-] shaky-carrousel|4 years ago|reply
[+] [-] Sami_Lehtinen|4 years ago|reply
Actually this is not true. Tor runs as SOCKS5 proxy, and you can use any browser or application with it.
[+] [-] bawolff|4 years ago|reply
Users are bad at security. If they fail to set up tor, .onion links don't work, so it acts as a barrier against users shooting themselves in the foot.
This is counterbalanced by higher phishing risks.
[+] [-] rosndo|4 years ago|reply
I would argue that this is the much bigger footgun for users. Just look at how much money darknet users are losing to the big industry of .onion phishing pages.
[+] [-] moltke|4 years ago|reply
[+] [-] JulianMorrison|4 years ago|reply
[+] [-] djdjfhsje33edh|4 years ago|reply
[+] [-] badrabbit|4 years ago|reply
[+] [-] Tepix|4 years ago|reply
[+] [-] Asan1|4 years ago|reply
[deleted]
[+] [-] hpcoke|4 years ago|reply
TLS/HSTS is still subject to CA attacks, e.g. diginotar.
CA/X.509 is a complex stack too.
> TLS mitigates attacks that can be executed by malicious exit nodes (or WiFi networks, or ISPs), that is the whole purpose of TLS.
A malicious exit node could refuse to serve some websites. This seems a minor risk though.
Reducing load on exit nodes is a technical benefit that's in that blog post.
Another benefit to using Tor onion services for large sites is that the Tor circuit ID can be used as an additional key in an IP rate limit cache. This helps block Tor bots (on the basis that establishing a Tor circuit is expensive).
[+] [-] rosndo|4 years ago|reply
There are no other practical attacks that malicious exit nodes could execute against sites using TLS and HSTS preload lists. If you’re a website administrator, fixing those things should be your priority before implementing onion addresses.
Onion addresses also come with slight drawbacks. They’re difficult for users and more vulnerable to phishing. Hidden services are also extremely vulnerable to CPU-based DoS attacks.
[+] [-] egberts1|4 years ago|reply
We all should know how infrequent this TLS Client mode get evoked, right, right? Yeah, righto.
[+] [-] moltke|4 years ago|reply