Quick thoughts on tor2web

Aaron and Virgil's tor2web site has been picked up by Wired's 27bstroke6 blog and Ars Technica.

First off, I think it's a neat implementation of allowing non-Tor users access to the realm of .onion, aka hidden services. While I think using the Tor Browser Bundle is incredibly easy, not everyone agrees with me. Neither Tor nor tor2web host any of the hidden service content. We don't know who does, nor who runs the hidden service. This brings me to my next thought.

Part of the challenge is that right now there is usually some place in the world that will publish your thing for you if it's interesting. Wikileaks is this year's example. But down the road, it may become the case that some things are just too hot for a public site to touch, and besides not everybody can convince Wikileaks to put up their document. Remember Usenet in the 80s? Remember BBSes? Remember NCSA Mosaic and the web in the early '90s? Technical people gravitated to these technologies first. The content reflected the people running the nodes; and the size of the community. People post things just because they can. Teenagers continue to post their plans for world domination; I've read them on BBSes, usenet, .plan files, and their web pages over the decades. Why should hidden services be any different?

Hidden Services are fairly new. They can be slow. They are a work in progress, but we believe them to be very secure and anonymous. They are an example of an application that can run on top of an anonymized network layer, such as Tor. Much like any new technology, the userbase is probably small. Sure, all Tor users have access to them, but it takes a lot of motivation and skill to setup a website correctly for hidden services. There are lots of ways to do it wrong and expose where the hidden service runs on the public Internet. This leads to less useful content generated for the masses. Make it easier, and perhaps the users will come in droves.

A few thoughts about potential services, merely copying from the current public Internet now;

  • anonymous blogging (think wordpress, movable type, blogspot)
  • anonymous microblogging (aka twitter)
  • anonymous forums for dissidents, abuse survivors, cancer survivors, human rights activists
  • anonymous dropbox or other personal document sharing (for stuff you just want to access when remote)
  • anonymous instant messaging

Why couldn't twitter, wordpress/MT/Blogspot, and forum providers setup a hidden service to their current offerings? Wikileaks and IndyMedia do already. If your customers are on a heavily censored Internet connection, hidden services may be the only way they can access your service. Some of these suggestions exist today, but they suffer from the lack of "network effect".

There is a lot of potential for hidden services to be valuable and host great content. Don't judge them by the little known content that exists today.

Hidden services aren't limited to websites either. I use them heavily for anonymous ssh access and getting access to my file systems behind NAT and firewalls.

Be aware that if tor2web logs IP addresses, they have yours; I don't believe they do log, however. I wonder if Google, Yahoo, and others will crawl tor2web and start indexing the content.

P.S. Wired, we're torproject.org, not tor.eff.org anymore.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Setting up a hidden service microblogging site would be pretty easy. Just grab a copy of laconica (http://laconi.ca) and set it up. It can even federate with other members of the openmicroblogging network, like identi.ca - which would be very cool. Perhaps the Tor Project itself could consider getting such an effort started.

For non-"hidden" sites (such as well known ones with an establish "conventional" web presence) would it be beneficial if they offered a hidden service presence (.onion) as well? For example, would it be beneficial if any way if http://identi.ca offered a .onion address as well, that went to the exact same site?

Thats a nice idea. But you have to register at the laconica-site with a valid email-address or change all the code about the validation and email-notification-services.

People should start offering mail via tor :)
I think it would be very good if big services started offering access via tor. An example would be Freenode's tor hidden service.

There are a few hidden services that offer mail inside .onion-space already.

Have a look at tormail.net, it is also from inside .onion out.

I used Tor with addon in firefox to download from rapidshare very fast.
Thanks Tor first,

But I want to change the IP after a period of time (E.x: 10 minutes), how can I ?

(I must Stop Tor and Start Tor again by hand, i hate that work)

Plz email to me: k3lvinmitnick@gmail.com

phobos wrote, “I wonder if Google, Yahoo, and others will crawl tor2web and start indexing the content.”

That one can be answered. Try the search ‘site:tor2web.com’ in Google. The answer is yes. What’s more, Google appears to be correlating .onion pages with the regular web. If you look at Google’s cached content for some of the .onion pages it has accessed through tor2web, the URL in the header is that for the regular (non-Tor) web page. I suppose it’s more efficient to point to what Google considers to be the canonical URL wherever possible.

http://74.125.77.132/search?q=cache:FHbFHIav7usJ:gaddbiwdftapglkq.tor2we...
http://74.125.77.132/search?q=cache:RbZxo1POzoAJ:rjgcfnw4sd2jaqfu.tor2we...
http://74.125.77.132/search?q=cache:rKMFPXORTAAJ:5pnauannuco7bsma.tor2we...

It works in the other direction too. Searching for ‘rjgcfnw4sd2jaqfu.tor2web.com’ currently gives one result – the URL for the underlying website.

As a hidden service provider, you need to protect yourself, too. What would it help if Twitter offered a hidden service interface? The service is well-known, public, can easily be forced to give away user credentials and remove "improper content". If you're using the Tor client, you can already use existing platforms anonymously.

More importantly, we need to adapt (or write new) blogging software and file dumps that completely abandon IP logging, and stop publishers and users from linking external content.

http://moblog.wiredwings.com/archives/20081218/Proposal-for-Tor-Hidden-S...

I think phobos' idea was that hidden services can't be found and since they work inside tor, they defeat censorship or filtering. This also means that an exit relay can't watch what you do and build up a pattern over time.

http://tor2web.com/tortodo

"Right now the only way to access hidden services is by using the Tor client, which routes all Internet traffic through the Tor network and so slows down normal Internet usage. It would be nice if one could run the Tor client in a mode where it only handled *.onion requests (i.e. requests to hidden services). That way users could transparently access hidden services without any degradation in normal Internet service."

Just modify the Privoxy configuration file.

Change the line that says:
forward-socks4a / 127.0.0.1:9050 .

To:
forward-socks4a .onion 127.0.0.1:9050 .

Of course, you should only do this if you are only using Tor to access hidden services, but not to protect your anonymity.

Privoxy seems to be removed from the newer versions for vidalia bundle. How do you do this with the newest version of TOR?

You can install privoxy yourself, or use the polipo we've included and configured for you.

A tried to install the bundle for Mac OSX and there was an installation failrue. The alert said it could not run a postflight script for Tor. Any thoughts?

I bet the postflight script ran, but couldn't start up Firefox automatically to install Torbutton. That's typically the case. Tor is probably installed and working fine.

"Right now the only way to access hidden services is by using the Tor client, which routes all Internet traffic through the Tor network and so slows down normal Internet usage.film izle It would be nice if one could run the Tor client in a mode where it only handled *.onion requests (i.e. requests to hidden services). That way users could transparently access hidden services without any degradation in normal Internet service."

Just modify the Privoxy configuration file.

Change the line that says:
forward-socks4a / 127.0.0.1:9050 .
film izle
To:
forward-socks4a .onion 127.0.0.1:9050 .

Of course, you should only do this if you are only using Tor to access hidden services, but not to protect your anonymity.

I do not believe to2web has any real future. It is so slow taking up to an hour to connect. If this is the way forward, let's all go back to DOS, at least this was faster.

Using the Tor Bundle is not that easy. Some people have difficulties using a normal browser, so they couldn't install and use the Tor Bundle. Plus, they would use it badly (ie: visiting a .onion website and then log into their webmail account, revealing their password to an exit node, it's hard to explain to a novice that Tor can both protect you and harm you).

So tor2web is great, and I'm impressed by its speed. I set up a hidden service to test the speed and it was almost as fast as a normal website. I can't imagine Tor without tor2web.

tor2web sends a X-Forwarded-For header field to the hidden service. This field contains your IP address. This is ridiculous. Just try to run an hidden service to see by yourself, if you don't believe me.

I know that tor2web aims at protecting publishers rather than readers, but still, there's no point in revealing the user's IP address to the hidden service. We don't use Tor to give our IP to the sites we visit.

Update to my previous comment: tor2web's admin fixed the x-forwarded-for issue after I emailed him. It was unintentional. The problem has probably been there since the beginning of tor2web (see http://l6nvqsqivhrunqvs.tor2web.com/?do=topic&id=7116 ).

Syndicate content Syndicate content