Crowdfunding the Future (of Hidden Services)

Hidden Services have received a lot of attention in 2015, and Tor is at the center of this conversation. Hidden Services are a Tor technology that allows users to connect to services (blogs, chats, and many other things) with neither the user nor the site giving up identifying information.

In fact, anything you can build on the internet, you can build on hidden services. But they're better--they give users things that normal networking doesn't authentication and confidentiality are built in; anonymity is built in. An internet based on hidden services would be an internet with Tor built in--a feature that users could take for granted. Think of what this might mean to millions of users in countries like China, Iran, or the UK. Yet currently, only about 4% of Tor's traffic comes from hidden services.

So we at Tor have been considering how we might meet the challenge of making them more widely available. In this post, we will briefly discuss the role of hidden services before we explore the idea of using crowdfunding to pay for bold, long-term tech initiatives that will begin to fulfill the promise of this technology.

Hidden Services are a critical part of Tor's ecosystem

Hidden Services provide a means for Tor users to create sites and services that are accessible exclusively within the Tor network, with privacy and security features that make them useful and appealing for a wide variety of applications.

For example, hidden services are currently used by activists and journalists to publish blogs--in anonymity and free from retaliation. They are used by NGOs to securely receive information on government corruption and injustice from concerned citizens. Newspapers such as the Washington Post, and human rights groups such as Amnesty International use them to receive leaked information. They are used by people looking for the latest cat facts, companies that want to secure the path of their clients or by people chatting securely and anonymously -- including at-risk journalists talking to sources.

In addition, developers use hidden services as a building block to incorporate Tor's security and anonymity features into totally separate products. The potential of hidden services is huge, and much of it is yet to be explored.

Next Steps for Hidden Services

We want to make this technology available to the wider public as these services will play a key role in the future of secure communications. This means that we must increase the uses for hidden services, bring them to mobile platforms for anonymous mobile apps, and vastly increase the number of people who use them.

Since our goal is wider use, it is imperative that we build them to be more secure, easier to set up, better performing, and more usable. Clearly, the questions that we answer in early deployment efforts will inform how we answer the deeper questions pertaining to massive worldwide deployment.

We must engage a large number of people to bring hidden services to the next level. Until now, hidden services development largely relied on the volunteer work of developers in their spare time. This will not be sufficient if we are to make the leap to transformative hidden services.

We are currently evaluating funding strategies that will support our Hidden Service initiatives in the short-, intermediate- and long-term. In order to fit the requirements more conservative large funders have, so we can fully sponsor the Next Generation Hidden Services, we must put preliminary pieces in place. And for that we will reach out to crowdfunding. To do this right, we need your feedback.

Why Crowdfunding?

Crowdfunding allows us to engage the broader community in grasping the opportunity that this new technology promises. We are confident that we can deliver significant advancements in the hidden services field in the short-term, and that many small donors who understand their context will be eager to contribute. We intend to begin by prioritizing the improvement of the security, usability, and performance of the current hidden services system.

Further, we want to make sure we support the efforts of community projects and that the community is participating in shaping the evolution of hidden services. For example, it would be important to assist and improve the Tor integration of projects such as SecureDrop, Pond, Ahmia and Ricochet. We are in the unique position to be able to shape the Tor protocol to make these projects easier to use and better performing, and we would like to identify ways to promote broader deployment of these projects.

Identifying, prioritizing and meeting future challenges will require engagement throughout the greater community. For instance, as changes and enhancements are introduced, we hope to speak with the best bug hunters, cryptographers and privacy experts and ask them to audit our code and designs. Non-technical users could help us evaluate the usability of our improvements.

For this crowdfunding campaign we have identified a few possible ideas-- but the point of this post is to ask you for yours. Here are three projects that we have come up with so far:

  • Information Panel for Hidden Service Operators

  • An application that Hidden Service operators could use to learn more about the activity of their Hidden Service. The operator would have access to information on user activity, security information, etc., and will receive important system-generated updates, including log messages


  • Fast-but-not-hidden services

  • A way to set up public hidden services with improved performance but reduced server-side anonymity. Basically, hidden services that don't care about anonymity but still want to protect their clients with Tor's cryptography and anonymity, will be able to run faster since they don't need to protect their own anonymity. This is an optional feature that suits the needs of large sites like Facebook and reddit, and will make their hidden services faster while also reducing the traffic they cause to the network. Also by optimizing for performance in this specialized feature, we can optimize for security even more in the default hidden services configuration.


  • Next Generation Hidden Services

  • Tor has been at the center of hidden services from the beginning. We have big lists of changes we need to do to the Tor protocol to increase the security of hidden services against cryptanalysis, DoS and deanonymization attacks. We also want to improve guard security, allow operators to store their cryptographic keys offline and enable scaling of hidden services to new levels. This is a big project but we hope to start crunching through it as part of this crowdfunding campaign.


    Your Idea for Hidden Services?

    Long story short, we are looking for feedback!

  • What hidden services projects would you like to see us crowdfund?

  • How do you use hidden services; what makes them important to you? How you want to see them evolve?

  • We'd love to hear your ideas on picking crowdfunding rewards and stretch goals.
    Also, we are curious about which crowdfunding platforms you prefer and why.

  • Feel free to use the comments of this blog, or contact us directly at tor-assistants@torproject.org. Also see our wiki page with more information!

    In the following weeks, we will update you on our progress, incorporating feedback we receive from the community. We hope to make this process as transparent and public as possible!

    Thanks!

    EDIT: The "Unhidden Services" paragraph was expanded and changed to "Fast-but-not-hidden Services". The previous name was too scary and the description not sufficient to show the potential of the project. Please send us better names for this feature!

    Comment viewing options

    Select your preferred way to display the comments and click "Save settings" to activate your changes.

    Please consider using lighthouse (https://www.vinumeris.com/lighthouse) for crowdfunding.

    Crowdfund on Counterparty!
    http://counterparty.io

    'unhidden services' sounds like a bad idea, and would open the door to network/ traffic analysis, especially for real-time services like interactive chatting, VoIP, and video conferencing.

    This is the same thing the NSA does today by collecting all call-detail-records from all telcos -- analyzing the connections across the network to infer relationships between individuals.

    We meant services like Facebook or reddit, who don't care to hide their servers, but they would still like to offer high security to their clients. If Reddit had an unhidden service, it could ensure that clients who reach the Activism subreddit are always protected by Tor (and hence they are anonymous, and have server authentication without relying on SSL CAs).

    I'm not sure how that would open the door to further network/traffic analysis. Please expand further?

    I dont really see this happening the unhidden services. These site block tor for a reason and allowing users to use tor wouldn't it just create spam and people to post Child porn and other illegal things?

    Child porn is just your government's way of telling it is good to look at your business and see if someone put stuff on your machine that violates their laws and arrest you if true. This makes child porn a way to violate all the laws restraining your government from prying into your business and framing its citizens for "crimes" against humanity (called PORN) while ignoring their own.

    Their solution is more obscene and kills more children than the problem they purport to solve by removing your freedoms to prevent you from viewing porn.

    If you wish to really impact children's lives I suggest you campaign against slave child labour in products like chocolate, sugar, coffee and the like sourced from countries like the Ivory Coast or simply not purchase these where not ethically sourced.

    Porn is an easy 'take down' but usually involves repression of everyone's Rights, Liberties ETC. These types of regimes are usually so corrupt that child sex slavery including porn becomes rampant.

    Personally, I preferred the older "G" rated tele with enforced standards and clean messages. It seems to be something that we may never go back to again. Tragic.

    Anyway, freedom from Big Brother is the reason many choose to keep their lives free from observation, even if they have "nothing to hide" as I tend to think to be my own case.

    To answer your question directly: Yes some perhaps many pedophiles will hide behind TOR. I hope TOR PREVAILS OVER BIG BROTHER, EVERY TIME!
    With drugs science has proven that the attempt to ban drugs has the paradoxical effect of greatly increasing usage. I am sure that this is likely true of photo pedophilia as well.

    Neither Reddit nor Facebook block Tor.

    Facebook has even their hidden service

    https://www.facebookcorewwwi.onion/?_rdr

    The article is really not clear on the distinction between anonymity of the operator and anonymity for the end user. EG under "fast but not hidden services" - "hidden services that don't care about anonymity but still want to protect their clients with Tor's cryptography and anonymity" is confusing.

    I think anything that would benefit Facebook or reddit should be paid for by a fund that they contribute to. I'd rather not have my hard earned donation money go toward helping those companies.

    "What hidden services projects would you like to see us crowdfund?"

    Simple: the make-hidden-services-work-stable-again-project. Fix the DDoS-is-possible-by-design-issue that took many onion sites down a few days ago. That has to be top-priority!

    More and more hidden services attacked. :(

    Mine hasn't been attacked yet, and I have made a lot of enemies.. I guess its a matter a time before it happens.

    Yes, we are hoping that this campaign will allow us to put serious work on making hidden services more stable and secure.

    We are also looking into the recent reported DDoS attacks, for more short-term fixes.

    Please add "status INVALID drop" system to Tor routing.

    Attacker: Hey Tor! Connect to xxx.onion 100/secounds!
    Tor: Error: "Potential DDoS detected. Ignoring request."

    @asn

    You said: "Hidden Services have received a lot of attention in 2015".

    Why 2015? Didn't you mean 2014? 2015 has just begun...

    You said: "users in countries like China, Iran, or the UK"

    YMMD. That combination is funny. Indeed, the UK isn't far away from the top tier Internet enemies anymore...

    Unhidden services? I'm sorry, but I won't help fund a project to weaken the anonymity of hidden services.

    We updated that paragraph to make it clearer what that feature is about. It's an optional feature that hidden services have to enable explicitly, and it's only suited for hidden services like Facebook or reddit who don't care about anonymity.

    While those services might not care about their own anonymity, they care about the anonymity of their clients and that's preserved with that feature. Please let us know if you have more questions about this feature and how we can make it clearer.

    I am very interested in seeing Hidden Services developed as a replacement for SSL. The Certifying Authority system for SSL is both a significant barrier to use (i.e. needing to pay and/or meet certain requirements for cert issuing) and ironically a security problem (compromise of any one of hundreds of CA's can break the entire system).

    While higher-performance hidden services would help towards this goal, the main issues I'm, personally, most immediately concerned about are availability (i.e. being able to host a single service on multiple machines with some kind of failover) and security (i.e. using more than 80 bits of an antiquated RSA key as the means of authenticating the server).

    Yeah, this is a good point. Given how much issues there have been with CAs over the years, and how the model is fundamentally not secure, this seems like a potential big win for tor.

    That's really a separate problem: tying keys to names. You might want to do that with or without Tor.

    But I do agree that it would be nice to have Tor do it in a generally useful way. Maybe Tor could adopt one of the decentralized naming schemes that get proposed periodically, or create a system that was also useful outside the Tor network. People propose things like that from time to time, but there's no critical mass behind them. Tor could help, especially if other projects could be gotten on board as well.

    There've been several proposals to add a DNS TLD where the next level names were just key hashes, similar to .onion addresses. That's the decentralized-secure edge of Zooko's triangle for global naming systems. The DNS servers for such a zone could even just be front ends to a DHT... and something like Tor could go around DNS entirely, and find data in something like the existing hidden service lookup system, or directly in the same DHT that also served DNS.

    You could imagine a future world where a TLS layer knew to check the peer's key directly in the name, or where the DNS layer knew to check DNSSEC keys (and thence DANE and thereby TLS keys) against that name.

    There are also decentralized FCFS systems like Namecoin that are a little hard to put on the perimeter of the triangle; they sort of trade off human meaningfulness against strong assurance that the "Joe" you're talking to is really the one that everybody else calls "Joe".

    Or I guess you could just punt to local nicknames like I2P... but I2P's names aren't so "local" or decentralized in practice...

    I actually really like tor's naming system as it is right now. It's currently the only decentralized-secure naming system at the moment that I'm aware of for general low-latency use, such as web hosting or running an SSH server; others like bitcoin, bitmessage, and PGP are more specialized. I wouldn't be against adding another naming system as an overlay, but I'd really like to leave the existing decentralized-secure option in place.

    It might not be bad to offer an option to clients to choose from a few different levels of security. For instance, onion addresses could be expanded to 32 characters (160 bits), but only the first 16 would be required; a truncated address would just be compared against the equivalent number of characters from the "real" address. To do this, the 80-bit prefix would be still be the way that onion services are identified, but the client could do additional validation based on the longer address after the circuit is established.

    It would also be nice, if we lengthen the service addresses to accomodate more security, to allow hyphens or some other divider character in the name that will be ignored. This would allow names to be more memorable, even in their current form. These characters should probably be stripped off in the TBB from any Host: headers, at least, to resist using them as a client fingerprinting side-channel. There is precendent for this sort of thing: gmail ignores periods (.) in the "username" portion of its email addresses.

    One of the tricks I use to make a decentralized-secure address a little more human-memorable is using a vanity address generator like shallot. Specifically, rather than just choose a name prefix (leaving users to painstakingly memorize the suffix), the regex I use is a global heuristic to try to make the address into a pronounceable "nonsense word" for speakers of a particular language (English, in my case). Depending on how your memory works (i.e. "visual" thinkers vs. "auditory" ones), these may be easier to memorize.

    I've opened https://trac.torproject.org/projects/tor/ticket/15622 for your paragraph 3 idea.

    A hidden service aimed at cyber dissidents would be interesting. But I am not sure what features would really be useful. What do cyber dissidents need? I guess, a way to get their message out safely and securely.

    What I know, which is not very much, is that wordpress over tor is the recommended way to publish anonymously online. Putting a blog on a hidden service itself is not useful since so few people would actually be able to read it... Similarly I suppose if someone has a message to get out, they would probably want to be active on social media, FB, twitter etc. They would use tor to protect their identity but publish their message publicly.

    So what would be useful for this? All those tools are usable through tor, but we still have the usual pattern of life, and traffic correlation problems. Particularly in small countries with government owned ISPs, sending lots of packets out over tor at the same time that dissident X is posting to facebook is dangerous. A Bharaini dissident who always posts at certain hours of the day may also be determined to be an exile living overseas in timezone Y based on when they post.

    This got me thinking about tools that can solve pattern of live and traffic correlation. There are social media tools like hootsuite (works over tor) which let you post asycnronously and on a delayed schedule. But this is only a partial solution for cyber dissidents. The traffic going to hootsuite over the clear net is presumably still vulnerable to traffic correlation for example. Using it to compose and publish blog posts for wordpress is hard / impossible based on a few small experiments that I did.

    So what I think would be nice is a hidden service with some basic functionality like hootsuite - posting to twitter, wordpress, facebook etc, from a hidden service on schedule or with delays built in. If tor people can convince hootsuite to run a basic hidden service themselves then great. Otherwise someone might like to build one. Facebook as a hidden service is an obvious nod to the usefulness of this. Whether or not twitter, wordpress etc would like to recieve API calls from a hidden service is a potential issue, but since people can use their services over tor, perhaps not. (I know there have been some reports about tor users being blocked from registering for twitter without a phone number but my own testing indicates that this is false).

    Just some thoughts
    -not a cyber dissident

    Hidden Service made easy in default Tor Browser for all platforms would be quite useful! Provide share a specific folder as simple file share over onion to more complex auto-port mappings to local and LAN resources.

    I would also like to see ORCHID v2 style IPv6 tun style access via onions. An entity identifier overlay like ORCHID would also ease a transition from current hidden service key lengths to newer schemes by providing consistent network semantics to users and applications.

    Obviously, many devils in these details; the above would greatly soothe my druthers :P

    A great security problem is that private key must be on machine where hidden service is running. Would be nice if this was fixed without having to port forward. Each client could be assigned a guid and hidden service operator could sign the hidden service packet and allow this guid to receive data from its hidden service address.

    We have plans for keeping crypto keys offline on hidden services. See:
    https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt#n465

    We would also like to integrate projects like SoftHSM to Tor, so that people can keep their keys in hardware security models if they so wish.

    These days police agencies and domestic intelligence agencies all over the world are increasingly functioning as

    * state-sponsored thugs who intimidate and harass peaceful protest groups
    * state-sponsored cyberthieves who steal money and data
    * state-sponsored assassins who simply kill people like us

    John Locke and other writers hallowed in the tradition of enlightenment moral philosophy on which "Western" legal traditions are based would advise us, under such conditions, to use any means necessary to defend ourselves against such lethal enemies. I am not yet prepared to go quite as far as Locke was, but I certainly think all dissidents urgently need various defensive tools, by which term I mean to include

    * knowledge
    * techniques
    * software
    * hardware

    > What do cyber dissidents need? I guess, a way to get their message out safely and securely.

    And many more "specialist items", such as

    * tools to detect possible IMSI catchers in use
    * tools to detect possible attacks on WiFi networks (e.g. replay attacks, attacks gathering ivs for offline cryptanalysis)
    * tools leveraging COTS items to detect suspicious RF transmissions (see the ANT catalog for how NSA uses of retro-reflectors) and other evidence of buggery
    * tools to provide defenses against stylometry
    * more and better stenographic tools (for example, modify the brush pass so that two people on a commuter train can unobtrusively pass a deniable encrypted message using their smart phones, without saying a word, perhaps using existing NFC capabilities)
    * cheap reliable clandestine GPS bugs activists can attach to the undercarriage of police surveillance vehicles; they track us, why shouldn't we track back?)
    * tools to detect (and maybe to disable/hijack) surveillance drones; this could include a project as "simple" as the equivalent of a bird guide for visual observation
    * tools to detect WiFi mesh nodes being used to inventory all WiFi capable devices in urban areas
    * tutorials on defensive measures against various threats
    * tutorials on counter-surveillance in the 21st century
    * advice from psychologists on detecting and resisting techniques used by GCHQ to "disrupt" the social functioning of dissident groups
    * the same, for techniques used by trained infiltrators (beyond such obvious things as: don't go out drinking with other activists)
    * the same, for foiling "predictive analysis" behavioral modeling (US agencies run supercomputer models including every person in entire countries, plus their interactions with government, NSA, and economic forces, in order to decide who to harass/arrest/kidnap/kill).

    Plus items we all need, such as

    * more secure COTS routers, printers
    * upgradeable cryptographically signed firmware for Linux
    * more and better encryption (alternatives to AES vital in case we learn that NSA has cracked AES by exploiting its unique algebraic structure; see Bruce Schneier's comments)
    * more and better Tor
    * more Tails for smart phones
    * more secure DNS, TLS
    * more intensive and extensive auditing of privacy/anonymity tools
    * more and better theory relevant to anonymity

    Specifically hidden service related ideas:

    * hidden services acting as honeypots for agencies tasked with infiltrating dissident groups, implemented with the specific aim of capturing "watering hole" type malware planted by global intelligence agencies like FBI, with the intent of passing samples to groups like Citizen Lab for reverse engineering and publication

    * hidden services masquerading as fun websites where people exchange innocuous computer art (unique and metadataless so our enemies have nothing to compare with) which contain short steganographic messages

    * lots and lots of truly innocuous websites briefly put up as hidden services, to make a point and also to make things harder for global intelligence agencies seeking to hack all the worlds hidden services

    * tools allowing people to temporarily create hidden services to share info with a very small number of persons who each receive a share of a secret (via Shamir's secret sharing scheme based on polynomials for example)

    * hidden services offering current Tor and citizen cryptography to people who have an older version and want to get the latest, for dissidents who live in nations where Tor and unbackdoored crypto is effectively illegal; Tor users need to prepare now for how to obtain these items essential for life in case they become illegal where they live.

    Please note that France, UK, USA are all very close to joining Belarus as nations where Tor and unbackdoored crypto is effectively outlawed. (See for example proposed changes to Rule 41(b) of the Federal Code of Criminal Procedure in the US, which will explicitly allow FBI to hack into any computer anywhere in the world, unless the US Congress takes action to stop it.)

    Police and intelligence agencies all over the world are treating all of us like terrorists or spies. Please note that just because you live in Brazil (say) does not mean that US agencies are not spying on you at every turn. So it is all of them against all of us.

    It seems reasonable, in the spirit of John Locke, to conclude that such treatment forces us all to damn well behave like (genuine) highly trained professional espionage agents. When everyone behaves like a trained espionage agent (in terms of evasion, deception, and communication techniques, not in terms of violent acts), the surveillance state will collapse under its own weight. Only then will governments acknowledge the painful necessity of seeking political solutions, rather than simply "managing" dissidents by spying, stealing, harassing, and killing them.

    A good historical perspective on the global nature of the epic struggle between the forces of freedom and the forces of oppression in which we are all immersed (whether we choose to acknowledge this or not): Jay Winik, The Great Upheaval, Harper, 2007.

    When every state has gone "rogue", it is the duty of every citizen to rebel against the state.

    The sad irony is that we rebels actually believe in the Rule of Law and in the notion of government of the People, by the People, for the People.

    Dr. Franklin, Col. Washington, and others wouldn't give the time of day to anyone who talked rebellion in 1770. By 1775 their minds had been changed, by the foul and foolish actions of the "legal" government in America. Jay Winik's book is well worth reading.

    I'm still thinking about a YouTube/Twitch clone that can't be taken down as a HiddenService.. Preferable with P2P load balancing(once WebRTC works without leaking) and short lived automatic 48h take down to avoid legal trouble (*but with the HTML5 download/save option intact).

    The idea would be to make any video available to anyone, regardless of the political situation/censors and integrate it with Android to upload/steam live Video without immediately reveling the source(*keep in mind: if they film you they can always see your camera or triangulate your filming position later, they are only limited by not censoring you).

    However there are still so many technical obstacles in the way of this, last time i checked, that just i guess just doing some more research and fixing WebRTC through Tor would be enough for now.

    It's really great you guys are improving the hidden services. I think it would also be really great to try to get rid of the directory authorities. They make the Tor network too centralized.

    How about this? Adblock competitor. Not a "hidden" service, but it's my favorite.

    http://ny44ts3j7jkd5gqf.onion:1223/data/proj/sw/adblock.html

    (You can find it by searching "Easylist NoMercy")

    You require javascript to view the page? Seriously?

    Besides the fact that running a hs is not really secure at the moment, it even is not stable (https://trac.torproject.org/projects/tor/ticket/8864)

    Another very important subject was not mentioned yet: even if hs will be secure and stable - what will run securely ON it? We stay with good old HTML and maybe dare to use some PHP? I am thinking here not only about the well known risks like using Java platforms or JS and its countless frameworks, but also about the serious concerns regarding HTML5 and other new standards and protocols. In my opinion securing hs is only a solution for half of the problem, to protect the hs visitor remains a huge challenge.

    Since more than three years I am testing various tor based solutions in order to find a reliable hs platform, together with some open source site packages on it that offer still some acceptable usability with JS turned off - the available choice goes down to close to zero.

    To bring up hs to a secure level is an urgent task and an absolute must. Tor may not become just a network fore safe communication - it has to become also a platform for safe publication of information and access to it.

    3 words-

    Distributed. Hidden. Services.

    Think OpenBazaar but builtin to Tor. Relays could have a data-store element that much like freenet that allows a service operator to offload processing and storage to relay operators who opted-in. This would in effect completely take the crosshairs and bottlenecks off a single server and move it across the network, albiet perhaps with a slight delay. Given that any info a relay would hold would be encrypted to prevent tampering a service operator could safely store any info across the network, and as its distributed things like ddosing and relays going offline would not bring a service to its knees as we are seeing now.

    +1

    Im reading in these comments the idea of distributed hidden services being brought up, however the larger implications of "how" this would realistically work given the limited resources of Tor must be considered. Granted by and large relay operators pay for both bandwidth and storage space as part of the package deal that comes with renting a server but only use the bandwidth element as there is no storage consumption with Tor currently, the potential storage capacity of a Tor-relay datastore is immense, but how would this work?

    Lets say we adopt freenets model, where there needs to be some redundancy to ensure data is not loss should relays go down. This now sets the total storage capacity from 1-50% of the total storage on hand at any one moment depending on the level of redundancy mandated by the network, this already limits the network greatly.

    An attacker wants to knock a large hidden service offline, or at the very least cause dataloss. They proceed to ddos the network not with connection attempts to the hidden service as with traditional ddos, but instead to setup their own hidden service and fill it up with junk data that would in turn flood the network of redunant relays knocking everything else into the trash bin. Stop me here if freenet has already found a solution to this, im sure they have but lets say their solution doesnt work for Tor (freenet is horrendously slow for a reason...)

    Perhaps a wholly distributed model isnt the best approach for a low-latency network. A better approach would be a "money-where-your-mouth-is" model, whereby a HS would still operate as a singular server, whose datastore would be in turn mirrored by various relays that would in turn syncronize with the server based on most frequently accessed data. So in this way a HS could be "distributed" in its ability to field requests for data while remaining centralized so that there would be no chance of dataloss or loss of service due to a reliance on the network itself.

    This would in effect act like a temporary distributed datastore, whereby relays would mirror and serve an HS's data by frequency of requests, dataload, in effect popularity. The bigger question however is how exactly is a relay supposed to know a request is destined for a HS given the design of Tor? Could the HS itself forward its excess requests to a relay who would be handling mirros of its most recently requested data? Could this be done in a way that keeps the traffic encrypted so as to ensure its integrity? Does this solve the problems of a HS being DDOS'd (that is its ability to handle a number of requests) or just the issue of it hitting its bandwidth cap?

    Useful thoughts.

    Mixing low latency with high latency anonymity is something that we've also been looking into. We understand that low latency anonymity has certain limits and we are curious to see if we can also offer higher latency options to users who are interested in more advanced security models. It would be interesting to explore such avenues through crowdfunding, but I'm afraid that the topic is too researchy to be crowdpleasing

    I invite you to expand on your thoughts in the [tor-dev] mailing list:
    https://lists.torproject.org/pipermail/tor-dev/
    Analysis on how we can use the models of freenet or mixnets in Tor would be very interesting.

    I'm interested in using hidden services to hide my metadata. Specifically, I want a easy to use voice and text program such as TextSecure and Redphone, but with untraceable metadata so nobody can map my inner circle of family and friends.

    By easy to use, I don't mean setting up SIP account username and passwords. Perhaps have the chat program automatically assign a hidden service address for each user, but somehow map the hidden service address to something more human readable/memorable.

    The program would have to work on mobile phones, because the only thing people carry with them everywhere they go is mobile phones. Not Desktops or laptops. Otherwise the chat program would be near useless because your friends and family won't be reachable 24/7.

    It would be great to have a decentralized publication system for blogging, chats and forums, something like Syndie or FMS. Onion sites are risky and hard to maintain.

    in my opinion and experience, I want to emphatically state that the most sensible uses for hidden services, especially if the future looks like an even grimmer version of today, are ANYTHING but web servers.

    There is no good reason at all why static content, or content that is updated slowly and asynchronously, should have to be linkable to, or fully dependent upon (except for local mirrors), the up-times of a specific computer. I think the future of plain old web content lies in distributed, peer-to-peer structured storage systems where you, as a publisher, can periodically push signed updates. A concept for making that a fully practical replacement will have to be developed, though.

    I tend to view hidden services as a logical replacement for a static IPv4 address or domain name, so one can regain the end-to-end principle even in a centralized, censored and balkanized internet. OnionCat, which probably many posters here know, makes this vision concrete by converting hidden service keys to IPv6 addresses.

    I find short-lived HS a most convenient way for creating one-off synchronous communication channels with another party, such as onionshare, or telephony (for which no really user-friendly application exists yet, but which certainly works reasonably well in my experience). Long-lived ones are extremely useful for other things that can't be done asynchronously, such as accessing a machine via SSH and possibly tunneling some traffic through it.

    So I'd say, less emphasis on the web hosting aspect, which is also the PR-wise most reviled aspect (but I'll gladly eat my words when the suggested load-balancing makes the next generation hidden services more attractive for this purpose again, and more interesting websites will move into onionspace :-) I'm in two minds about this really).

    The good news is that, better support for short lived hidden services is likely to land in tor 0.2.7.x.

    See: https://trac.torproject.org/projects/tor/ticket/6411 for details.

    oh excellent, I like it!

    Re: Cheap off the shelf (COTS)
    I am working with a Raspberry PI model 2B+. It costs $35.00. It comes with a quad arm7 processor and an awesome GPU, 1GB ram, 4 USB (which seems to be the main limitation of this platform), HDMI and PAL/ NTSC (with a special plug also not simultaneously), uses an micro SD card for OS.

    I need a TOR BROSWER BUNDLE that makes the ABOVE SUGGESTIONS work for my Pi2. I would not mind a TOR replacement for a NOOBS that would not give up any info without the distributed password confirmation or perhaps not keep any at all.

    Otherwise, I need tails that works for arm 7 quad core... ....

    I also need details on how to compile from source TOR Browser Bundle and or TAILS. Alternatively perhaps someone could put it up as an alpha build.

    It would also be wonderful for a tool that generated checks on builds as part of the building process for all to observe. I am referring to the hash (SIG/ signature(s)) that tells me that I have the genuine product(s). This would make everyone much more secure.

    I need security to work like a toaster (push the button and it works) as much as possible otherwise it overwhelms me.

    (Overwhelming those who use tor is an intentional goal of our governments. The idea seems to be that if security is at all difficult nobody will use it. ( They seem to be at least largely right.))

    It seems that at least part of the TOR stream should reaffirm our rights to security in our private effects Declaring rights to freedoms as part of the communication streams. Declaring copyright. Declaring freedom of speech. Declaring freedom of association. Declaring freedom of... ....

    Then if someone comes up in court they can ask if those who read/ wiretapped/ decoded the contents had considered the freedoms that were being trampled/ ignored.
    It could be used to change the lengths of messages.

    Allowing message path splitting could also be a function of TBB.

    I would gladly give some pi computation time to a distributed tor service node(s) maybe 3 cores or several Pi2's. It is bandwidth pay for not computation.

    How about distributed onion dns.

    There is no reason I can think of for tor not to become the source of Certificate Authority in the onion realm. If we did a good enough job of it people might want ours more than the others.

    Yes, this is several digressions in one post.

    I think there are several projects out there working on cheap, easy to install boxes with Tor. Don't remember the names though.

    I suppose a bounty on fixes (perhaps on tickets) which could be accepted/ declined by the solver(s) with the donor defining what happens to his bounty. In the example below ( A true statement of my needs),I would love to be able to offer a declining bounty by say 10% per month with the unused portion going to torproject and otherwise shared equally by all solvers. I would love to have others be able to join in with other amounts and payouts.

    True Example:
    I Can get Tor on my rpi 2 but cannot get my rpi 2 to use TBB ( the TOR Browser Bundle.)

    While i am certain it is easy to do, I would gladly put up a bounty of say $50.00 for a simple command like
    sudo apt-get install torbrowser
    to work on my Pi2's. I suppose a bounty on tickets is what i am requesting.

    It would have to work in Raspbian or be addable to NOOBS or have an image that could be burned to an micro SD. I am good with almost anything that tells me line by line what I must do. However, what i really want is a package that works in an efficient OS on my Pi2, that I do not have to particularly understand how it works while still keeping the adversary from peeping in to my business.
    To this end, I need a browser and an anonymous email, with an rejection similar to the way I understand NOMOROBO.com works with calls in the US. However, I would pay out for just the browser bundle for now.

    Since these RPI2's are very cheap and there seem to be about 2 million RPi2's out of the 5 million RPi's ( Total of all kinds)made to date i am sure that this should be a very quick fix. With 200k / Month being made there should be 2.4 million more made before Moores law requires an upgrade.

    I like the comment on "decentralized publication system" which brings to mind the global need for Alternative Media and the tools to feed it (internal and external sourcing) and a structure to distribute.

    An address book like I2P so we can have for example "torproject.onion" or "facebook.onion".

    UDP support so Tor can be used like a VPN would bring a huge amount of new users.

    How's the progress on "32-character onion addresses" versus the current 16...?

    Could swear I read in the past that this was planned in the future.

    Hello friend,

    more secure onion addresses like the ones you describe would be implemented as part of the "Next Generations HIdden Services" project. We hope to do part of it as part of this crowdfunding. See https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt#n335 for the nitty gritty details.

    Please fund porting onioncat to Android for anonymous end to end VOIP.

    We know that the enemy has attempted to "herd" target Tor user populations, by influencing how circuits are chosen so that they wind up using entry and exit nodes both controlled by the enemy. I am not sure how much of a concern this is with current Tor, but if it is still a credible threat, I wonder whether working towards making all websites activists might want to visit into "unhidden sites" might help.

    Regarding hiding metadata: Riseup is experimenting with something which might help here, but an even easier step which I think could help a lot in keeping their new "black" accounts anonymous from all but the most determined enemies would be add a capability to the web mail where the user can request a random delay on the order of (1 hour, 1 day) before the email leaves the server.

    Another area where hidden services might help: bug reports.

    Thanks to Snowden, we know that the enemy monitors unencrypted bug reports and uses the information gleaned to attack specific users who report their system configuration in a bug report. Tails has an interesting response, which I don't think I really understand, but I believe one component of their "Whisperback" system uses a hidden service so that a user can send an end-to-end strongly encrypted bug report to the Tails developers. This would be very useful if

    * it were audited independently
    * the documentation were sufficiently clear that users have confidence they are using it correctly to obtain strong end-to-end encryption

    I think this system even when used correctly (which might not happen by default) might still be vulnerable to easy traffic analysis by the enemy (who can probably tell that a specific IP is using Tails and just sent an encrypted bug report). If not used correctly it can potentially reveal your identity and a lot of information about your system. I welcome correction from Tails developers if I got anything wrong (I probably did).

    I'd like to see Tor adopt a strongly end-to-end bug report system along those lines, possibly using hidden services and OTR chat connection instead of email, similar to the Tails preconfigured chat accounts but available in Tor Browser Bundle. It would be very useful to help the user generate strong keys (usual entropy source problem applies) for use one-time-only. This situation cries out for ECC (elliptic curve cryptography) using a non-NSA-weakened elliptic curve.

    For "making all websites" please read "make all websites into hidden services".

    Memorable addressses is a big game changer for hidden service usability. I hope there are plans to look into it as part of your next gen facelift.

    Hello! Thank you for a great technology! It saves my family members lifes for last 5 years (gangs are chasing us all that time, and Tor help us to hide). I want not only to get you some money, but also provide idea that can make Tor more secure.

    Multiple network connections
    In my opinion, one of the most dangerous attacks on the Tor network and hidden services is a data correlation attacks made by global observer. Today all the governments try to spy on internet communications. Sometimes same things can do botnet owners. So "global observer" is not a virtual thing anymore, and we can't simply close our eyes to that problem, and say "there are no protection form global observer, and nobody can do anything with it, but there are no global observers, so there are no reasons to fear". We need to have some additional protection.
    There are no solutions that can totally solve that problem for low-latency networks, but we can make such attacks much more harder and expensive. Widely discussed solution is to send garbage traffic to hide actual amount of transmitted data, but it dramatically increase network load. My idea is to split traffic and send it throw several independent internet connections, so MiM can't to know not only the message contents and destination, but also a total message size. There are several use cases:

    1. Advanced Tor user

    If observer controls exit relay or web-service (web-service hoster or hosters data-center is also a good choice), and can spy on user ISP traffic, he can easily correlate transmitted packets by size and time (and how many hops between user and service doesn't really matters). It's not a theoretical issue - Caché based spy equipment used in many countries can store all traffic of a whole town for hours, and easily process queries like "who transmit such amount of data at that time with such headers". If Tor will support multiple ISP connections, advanced users could prevent this type of attacks:


    user
    ISP-1 (e.g. Ethernet) - tor-node-1 - tor-node-4
    ISP-2 (e.g. ADSL) - tor-node-2 - tor-node-4
    ISP-3 (e.g. 3G) - tor-node-3 - tor-node-4 - tor-node-5
    web-service

    tor-node-4 in this case is not only a simple relay, but also a mixer/splitter, that construct requests coming from several connections, and split responses. So data packets size between tor-node-5 and web-service will not correlate to packets size between user and any of entry nodes.

    2. Hardened Hidden Service

    If observer controls hosting companies network connections (or data-centers), he can periodically send requests to hidden service from any computer, and check where packets of that size appears. Hardened Hidden Service can prevent it by using multiple internet connections:


    hidden-service
    WAN-1 - tor-node-1 - tor-node-4
    WAN-2 - tor-node-2 - tor-node-4
    LAN - another-server - WAN - tor-node-3 - tor-node-4 - tor-node-5
    rendezvous-point

    user requests and hidden service responses are splits by tor-node-4 and transfer throw several connections, so observer couldn't determine what server receive requests for hidden service and send a responses.

    3. 1+2


    hidden-service
    WAN-1 - tor-node-1 - tor-node-3
    WAN-2 - tor-node-2 - tor-node-3
    tor-node-4
    rendezvous-point
    tor-node-5
    tor-node-6 - tor-node-7 - ISP-1
    tor-node-6 - tor-node-8 - ISP-2
    user

    tor-node-3 and tor-node-6 are mixers/splitters.


    Summary: by providing ability to use multiple internet connections on clients and servers and mix/split traffic on relays, we can make data correlation attacks on Tor network much more difficult, so make it more protected against global observer.

    This basically is the concept of multi path tcp over Tor. A solution like this I tested successfully but depreciated it because it presents a major anonymity risk if used by some individuals only. But if implemented for everybody it will present a major breakthrough for Tor.

    Would "rubberhose" work for this allowing anyone to split up traffic into parts without accessing the message or knowing if the part of the message was even the whole message?

    Absolutely agree! Bump!

    BM-2cV8wSTcNZ76dPPTQNoCxNpSNi9hAfV6i5

    I would like to see effort spent working on:
    1) Developing an RFC for DNS lookups of onion service addresses. Just like I request "A blockchain.info", I should be able to do "AONION blockchain.info"; just like I request "MX riseup.net" I should be able to do "MXONION riseup.net". This is not secure, no, but it's important (there should also be an easy way to manually specify onion service addresses, so security of DNS is less of a concern).
    2) Working on popular MTAs like sendmail, Postfix, Exim, qmail, etc. to add automatic delivery to an onion service, if the domain has one available.
    2.1) Working on popular MTAs to automatically generate an onion service address for receiving submissions from other MTAs (complementary to 2)

    Email is a surveillance goldmine. Even STARTTLS still gives up lots of metadata. It's time to pull the rug out from under these fuckers.

    FWIW, some work related to (2) has been done here:
    https://www.void.gr/kargig/blog/2014/05/10/smtp-over-hidden-services-with-postfix/

    I think TorProject should setup their own hidden service for the blog and main website. It would allow you to track issues for hidden services much easily. I would personally love to browse TorProject.org using hidden service.

    Show an example to the world guys. Torproject.org is more known than any hidden service.

    Hope to see this implemented.

    torproject.org actually DID have a hidden service, once upon a time. Alas, they decided to discontinue it for some reason.

    I miss the old hidden service. It was arguably the most secure way to get access to tor downloads, once you already had tor installed. SSL's promise of end-to-end security is too easily compromised by compromise of a CA; onion addresses do not suffer from this problem, assuming you can initially confirm the correct onion address.

    Running your own hidden services is also a good way to get some "eat your own dog food" cred, and to gain familiarity with some of the challenges of their actual use.

    unfortunately, I think the problem here is the lack of sysadmin time we have, and the effort required for maintaining the service. These are both crappy reasons and hopefully we will make a hidden service for the website and blog soon. A plethora of tickets have been created over time for this task (see #13829 and its comments).

    Funding might be simple if there were a torrency used for virtural payment. It would allow anyone to generate it. It could be donated to tor. It would also become valuable. It could be stored in distributed onionland.
    Or the user could print it out on paper.

    "In fact, anything you can build on the internet, you can build on hidden services."

    AFAIK, you can't build P2P (e.g. BitTorrent) on Tor, can you?

    Priority for needed project:
    a Secure Browser.

    Simple, secure by default, no addons, no "Firefox forces us to upgrade" nonsense by ARMA.

    In short, give all users the option of using the secure TBB you created for the US government and military.

    POSTNOTE Number 488 (March 2015), "The darknet and online anonymity", while generally favorable to our community, does contain one potentially alarming sentence:

    "The Executive Director of Tor Project Inc., Andrew Lewman, says he would like to intensify collaborations with LEAs and policy makers in the UK."

    I assume this means training LEAs not to just kick down doors to seize Exit nodes, but can Andrew please confirm it certainly does not mean "implant backdoors"?

    Are Roger and/or Andrew available to speak to US/UK lawmakers and their staffs?

    > In short, give all users the option of using the secure TBB you created for the US government and military.

    I for one don't know what you are talking about... unless... could you be thinking of Blackphone? That is a commercial product sold by a company, Silent Circle, which AFAIK is not affiliated with Tor (but Phil Zimmerman is a cofounder, so good for them!). Blackphones have been sold to the US DOD, which has also bought large numbers of a distinct phone made by Boeing, called simply "Black". See

    http://arstechnica.com/security/2014/06/exclusive-a-review-of-the-blackphone-the-android-for-the-paranoid/

    I hope key Tor Project people use Black phones, and lawmakers should use them too. The reasons why might be worth mentioning if Tor people speak to lawmakers.

    > Simple, secure by default, no addons, no "Firefox forces us to upgrade" nonsense by ARMA.

    Alas, security and anonymity issues tend to be very complex, and despite intense effort by many very smart people, any product which offers "complete security by default" is surely a scam.

    As Bruce Schneier likes to say, "security is a process, not a destination you can reach". The same could be said about achieving anonymity: it's something to work towards, and it's an arms race where sometimes the good guys have an edge and sometimes the bad guys get ahead.

    Because of the technical complexities, TBB developers leverage an existing and well-tested open source browser, Mozilla's Firefox, rather than trying to build something entirely from scratch.

    It indeed certainly does not mean 'implant backdoors'.

    Also, there is no separate "TBB we created for the government/military". There's only one Tor Browser, and it's on our download page.

    (I don't use a Blackphone, but then, I don't use a smartphone.)

    I really liked 'Firestarter - Django-based self-hosted crowdfunding platform' developed and used by the lead developer of the arkOS project.

    The code is here: https://github.com/peakwinter/firestarter
    The arkOS cowdfunding page using Firestarter is here: https://fund.arkos.io/

    From the perspective of running and managing a Hidden Service I think giving us a channel that is scalable for managing authenticated users/groups would be a HUGE plus.

    HiddenServiceAuth combined with a Flat or SQLcipher database for user management.
    On signup to access my sites services/documents client receives HSauth address and can also "log in". If my server detects an attack coming from a specific client it can "de-authorize" or pause that specific user's or groups access. This would mitigate some types of DOS attacks and allow my server to "heal" or ban/delete users via script.

    Mainly we would need a way to API HSA or at least allow that feature to be pulled from a database versus the present method of implanting and generating them in the .torcc file. This has the added benefit of not being listed in the HS directory if I understand correctly.

    ====

    Second. It would be great to be able to use a Multi Signature Key like bitcoin as an option complimenting or extending a Hardware Key Manager HSM. What I am trying to get is a way to minimize server compromise or at least an easier way to deploy and distribute security via multiple Load balancers and servers which don't hold the privatekeys or at least all of the private key. This would leave a possibly .onion cloud hosted server with no key to compromise and blind only routing traffic to more deeply hidden servers over its own HSA channel.

    ====
    Tor Server Bundle!

    A hardened Hidden Service bundle similar to TBB or Whonix packaged with SQLcipher, PHP, specific cryptography libraries deterministic and contained. Easy Modes of operation such as Blog, Service/Market/Members, LoadBalance, TorVPN/SelfHosted Gateway, PrivateRelay/Bridges, OnionStorage, etc. With easy VPN attaching as well as pluggin to systems like Tails, Qubes, Whonix.

    The server should have a means to backup/store/serve easily via remote file hosting sites in darknet or clearnet (if held encrypted, provider has no knowledge). Bundle should also include BitID, SQRL, or a process like walletauthenticator for remote management access as well as possibly client signup and access. Self hosted 2-factor that is pretty easy and dummy proof.

    =======
    Knuckles
    BM-2cV8wSTcNZ76dPPTQNoCxNpSNi9hAfV6i5

    Thanks for the feedback.

    For what it's worth, we indeed have plans to improve the UI of hidden service authorization both on the server-side and on the client-side. We have already started doing some work on TBB for the client-side: https://trac.torproject.org/projects/tor/ticket/14389

    But we still haven't started specifying server-side improvements like the ones you suggested.

    Another way to probably get money for further development could be to integrate a blockchain namecoin type mechanism into Tor for HS easy name space allocation.

    A hidden service .onion or .tunion where users can do a traditional 16 bit or new base 32 bit address for free, but "register" shorter names for a small fee (towards Torproject and hosts of tor namechain) which acts as a DNS system in Tor. This should allow for drudgereport.onion/tunoin or any such name space association. Keeping Torproject out of the loop directly would keep them from getting sued when apple.onion goes live.

    Alternatively, a small fee and or proof of Relay/Bandwidth/Bridge/Exitnode could be used to purchase "names".

    For more suggestions about funding, please see:

    http://blog.cryptographyengineering.com/2015/02/how-do-we-pay-for-privacy.html
    How do we pay for privacy?
    Matthew Green
    10 Feb 2015

    http://jilliancyork.com/2015/02/06/there-are-other-funding-options-than-the-usg/
    There are other funding options than the USG
    Jillian York
    6 Feb 2015

    Idea of useful feature for hidden services:

    Currently there's no functionality for indexing of existing hidden services

    Desirable functionality:
    When user decides to make hidden service, he/she decides whether to index his hidden service in search engines for hidden services.

    If user doesn't want to index his/her hidden service, then it leaves configuration option untouched, cause it's disabled by default.

    But if user decides to index his hidden service he/she enables it and puts next information in configuration file:

    [index_service]
    enable=on

    hidden_service_description="Short description of your site here"

    hidden_service_kewords="some, keywords, here, describing, your, site, and, what,is, for"

    index_services_addr="indexserver1.onion, indexserver2.onion"

    index_services_resend_interval=12 hour

    So, user's hidden service sends this information to given "index_services_addr" servers through Tor, which put this infomation into their DB and make this record available to users who search info.

    For this to be uniform, there must be uniform HTTP REST API on "index_service" part. It can be embedded in Tor or it can be application written on any language and which waits for REST API call on HTTP.

    Idea to think about is:

    How to determine/authenticate , that request for adding/updating record for "somehost1.onion" goes from "somehost1.onion" owner and not from some other malicious person, which is not the owner of the hidden service.

    I think you will like:
    https://trac.torproject.org/projects/tor/ticket/15008

    It was considered a controversial decision in the beginning so we didn't go too far with it. We will revisit in the future for sure.

    It would be great if it is implemented in NextGen version ;)
    Implementation is not hard and it's not affects anonymity.

    What are you talking about? Imagine how fast anyone would D-DOS such index from his own localhost, anonymously, simply by restarting tor in such manner:


    # while sleep $[5*60];do rm /usr/local/var/lib/tor/hidden_service/private_key; service tor restart; done

    "TOR HIDDEN SERVICES SHOULD BE DISCONTINUED NOT CROWD-FUNDED"

    The Onion Router at its core and original intent is a "networking technology"...not a "hosting technology". TOR Hidden Services are scope creep and have failed repeatedly when attacked by "powerful" adversaries. Development and support should be discontinued for the following reasons:

    - The single node model is fail! Any realistic model of hidden services has to be multi-node, distributed, and load balanced...like I2P and Freenet. Whether you agree or disagree with darknet market places, Evolution's performance and uptime was outstanding and had to be the result of cleverly leveraging some cloud or distributed hosting platform.

    - The right tool for the right task, let TOR be TOR and I2P be I2P, being a responsible actor and discontinuing a flawed model/service allows...nay "forces" hidden services to migrate to I2P or a successor...I2P will get more attention and support...vetting! Java is a ridiculous choice for use in the darknet threat model.

    - TOR should focus its resources on improving "onion routing" increasing distribution, acceptance, bandwidth, and security...for anonymous clearnet access...so Google/Cloudflare captchas, de-anonymizing talks, and browser exploits are a historical road bump for nostalgia.

    Very recently there has been another report of malware being bundled with software downloaded using bittorent.

    Some users have previously asked whether i2p might be a suitable method for safely obtaining the latest ISO image for Tails.

    But is i2p really safer than bit torrent? Certainly (unless something has changed drastically) our enemies know who is using i2p, just perhaps not precisely what they are downloading. In some ways that could be the worst of all possible worlds, in that it appears to invite FBI to assume the user is downloading something illegal (which in the case of Tails, if the FBI gets its way, may soon be literally true in FEY countries).

    So what is the current security status of i2p?

    Last I heard (a few years ago) it had badly failed an independent audit. I hope all the flaws discovered then were promptly fixed, but is there a new audit in the works?

    I'm not at all saying I2P is without flaws, anyone that claims anything is flawless, you should smile and walk away.

    What I was trying to articulate TOR, Tails, whatever its better at hiding the client than the server because that was the original design intent, spies in another country interacting with the clearnet.

    But from the server side you want people to find your site...so there can never be such a thing as a "hidden service". Someone is going to know something about your site like an onion address and attack it, so you don't put your site in one place you put it in lots of places or everyplace. My understanding is this is what I2P and Freenet attempt to do...like a torrent your site is split up and shared across everyone who has the client install.

    I'm saying focus on what you do best. TOR leaves a traffic fingerprint as well and thats why its best to run both I2P or TOR over a VPN connection.

    > Development and support should be discontinued for the following reasons:

    Your points do not lack validity, and I'd add another: the Tor Project is experiencing pressures to grow, which is good but which also carries the danger that the developer community may not be able to maintain its tightly focused and close-knit status. Our most dangerous enemies (NSA/GCHQ/CSE) will not hesitate to try to encourage and then exploit too-rapid growth, in order to harm Tor.

    But IMO these points are outweighed by other considerations:

    o So long as Tor Project leaders bear in mind the sociological tactics used by our enemies to disrupt groups like ours, we can probably avoid becoming fragmented,

    o HS have not been very safe so far, but there seems to be reason to hope they can made much safer,

    o There appear to be many reasons why safe HS would be a boon to the freedom-seeking peoples of the world,

    o Anything FBI/NSA fervently desires to kill, such as HS, must be a very good thing for every citizen of the Internet; the features of the Tor network which our enemies hate most are precisely those we should insist upon retaining, improving, and growing.

    Some unfair comments in tor-talk recently drew irritated responses from two founding members of our community. Just wanted to remind everyone to consider two Snowden-confirmed facts before responding to "trollbait":

    o The Tor Community is a major target of GCHQ,

    o GCHQ targets its enemies with a variety of "effects" which can include disinformation and trolling campaigns.

    Several Snowden leaked presentations from GCHQ sketch their rationale for attempting to destroy the cohesiveness and effectiveness of targeted communities, for example by trying to

    o discredit leadership figures,

    o turn influential members of the community against each other.

    Nasty. And very much in the spirit of "Gamergate". Let us all resolve not to fall for such dirty tricks.

    I'm going to say this and everyone is going to crap their pants. NSA/GCHQ/FBI/CIA are not trying to kill TOR, nor do they care about anything not large enough to get them a promotion. DOD funded it and CIA uses it for their assets in enemy nations. If western agencies wanted it dead, it would be dead. Why do you think unpublished bridges are a requirement in countries like China and Iran? Because that is what trying to kill TOR really look like. It blows my mind how many smart people have been brainwashed and bamboozled by Russia's spy Snowden because they are so paranoid their porn habits are being scrutinized. Would they love to have a backdoor? Sure, because that's what voters and tax payers asked them to do by supporting politicians who wrote and voted for the Patriot Act, and all the legislation supporting the MIC and IIC. The only people we have to blame in the West are ourselves because we weren't paying attention and still haven't done anything to change it.

    > What do cyber dissidents need? I guess, a way to get their message out safely and securely.

    o defenses for protestors targeted with chemical weapon assault drones

    http://arstechnica.com/tech-policy/2015/04/pepper-spraying-drones-will-be-used-on-indian-protesters/
    Pepper-spraying drones will be used on Indian protesters
    Daniel Culpan
    9 Apr 2015

    o visual identification service ("what IS this thing (image of mystery device noticed on a pole, embedded in the road, found inside telecom gear?")

    o tamper detection for hardware sent by mail/courier

    > If western agencies wanted [Tor] dead, it would be dead. Why do you think unpublished bridges are a requirement in countries like China and Iran? Because that is what trying to kill TOR really look like.

    The trouble with your argument is that in their response to Tor the FVEY nations increasingly look more and more like China and Iran. Take a look at the language in anti-democratic laws which have been enacted in recent years in Spain, Russia, Australia, China, UAE, etc., and then compare with repressive bills likely to soon become law in USA, Canada, etc. See hrw.org for analysis.

    > It blows my mind how many smart people have been brainwashed and bamboozled by Russia's spy Snowden

    Someone, presumably you, has occasionally made similar claims on tor-talk, and no one can understand why you believe something ("Russia's spy") which seems so obviously contra-factual.

    Many who offer critical comments on CIA (some of them even work there) say that James Jesus Angleton did more damage to CIA than any of the moles he was hunting. And you'd have to look long and hard to find anyone inside FBI who has anything good to say about J. Edgar Hoover.

    But more to the point, anti-communist paranoia seems out of place in the modern world. I agree that Putinism is a serious threat (especially to Russians and to people living in neighboring countries), but it is a minor threat to the world, compared to NSA, CIA, SOCCOM, etc.

    We do agree on one thing, I think: governmental reprisals against the Tor Project are a measure of its success in accomplishing its pro-democracy purpose.

    IMO, the greatest problem for human rights workers today is that the USG is transforming from being a nation which officially guarantees human rights at home and supports them abroad into the world's most lethal oppressor nation. That leaves human rights workers, Tor developers, etc., with no "safe haven" they can use as a base while working to develop democratic government in countries like Bahrain, Vietnam, North Korea, etc.

    Please, read my Advice !!!!

    There are prev. generation of hidden network, called FreeNet. There is another method of hidden services.

    It is much better for operator, do n't you see?

    The point of failure in current version of Tor's Hidden Service - is a point of operator, point of owner. It is bad, bad,bad, and again very bad way.

    I don't know, is it possible to wrap two hidden-networks FreeNet and Tor into one bunch for such new version of hidden-service.

    Is there any researchs?

    Please avoid going "off topic" into politics. This is a talk about crowdfunding hidden services and improvement suggestions. If it is not about that then lets assume it it s TROLL comment to keep us off of subject.

    Anymore IMPROVEMENT suggestions for HS?

    Forum software analogous to VBulletin, but written specifically for use with HS with anonymity protections in mind from the ground up, as far as possible.

    The same, for blogging software.

    I'd love to hear creative ideas on how HS might be leveraged to replace email (stmp is hopelessly dragnet-friendly).

    Recently the crucial role currently played by GPG in the pro-privacy infrastructure received some long-overdue media attention.

    One of the most worrisome issues surrounding current usages of PGP/GPG is the difficulty for many users of obtaining trustworthy copies of keys, including signing keys for iso images. The special purpose key distribution protocol used by PGP/GPG is unfortunately not encrypted, which is a serious limitation in the current environment. Even worse, few if any http-based key servers use https. This would appear to practically invite our most lethal enemy to trojan or alter keys in transit between the key server and the user's computer. Please note that this concern is independent of the Web of Trust model.

    Would it be possible to use HS to help improve the chances that downloaded PGP/GPG public keys have not been tampered with? Perhaps by providing hidden key-servers protected (sort of) by https?

    I am aware that "conventional wisdom" holds that downloading keys via Tails (for example) using either the purpose-built protocol or an http connection to a key-server which supports http is even more likely (for the average user) to attract governmental interference than downloading via a direct connection. Worst of all, perhaps, would be a direct connection from an IP address which shows up in NSA's database of IPs which have been seen connecting to a Tor directory authority.

    Syndicate content Syndicate content