tor network

Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.

A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.

Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.

Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.

There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.

The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.

As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.

EDIT: See our next blog post for more details about the attack.

We're excited to announce that a group of students from Wesleyan has created a new TorStatus website written in Python. Their new website is a fine addition to Kasimir Gabert's Tor Network Status page. Kasimir's page is currently the most popular website to learn about running Tor relays.

We're glad that we now have a new Python/Django-based TorStatus, as many developers in the Tor community have been working on complementary Tor Python libraries.

The new TorStatus started out as a rewrite of the old PHP-based TorStatus, so we're building from Kasimir's great ideas. The new TorStatus adds a new landing page, paged results that decrease latency, and carefully crafted graphs with a focus on aesthetics. But it's not only the features that make this code so great. We believe that many more developers will be interested in modifying and extending the codebase! At least that's much simpler now with the move to Python/Django.

The new TorStatus project was done by Norman Danner's students during their summer The Humanitarian Free and Open Source Software at Wesleyan University course. Thanks to Jeremy, Diego, and Vlad for designing, coding, and testing this new TorStatus! Thanks to Damian for co-mentoring the students on Tor's side.

What's next? Want to help out with coding on the new TorStatus? You should start by looking at the codebase and the list of open tickets. Feel free to leave a comment here or drop by #tor-dev if you have suggestions or are interested in helping out!