Nine Questions about Hidden Services

This is an interview with a Tor developer who works on hidden services. Please note that Tor Browser and hidden services are two different things. Tor Browser (downloadable at allows you to browse, or surf, the web, anonymously. A hidden service is a site you visit or a service you use that uses Tor technology to stay secure and, if the owner wishes, anonymous. The secure messaging app ricochet is an example of a hidden service. Tor developers use the terms "hidden services" and "onion services" interchangeably.  1. What are your priorities for onion services development?  Personally I think it’s very important to work on the security of hidden services; that’s a big priority. The plan for the next generation of onion services includes enhanced security as well as improved performance. We’ve broken the development down into smaller modules and we’re already starting to build the foundation. The whole thing is a pretty insane engineering job.2. What don't people know about onion Services? Until earlier this year, hidden services were a labor of love that Tor developers did in their spare time. Now we have a very small group of developers, but in 2016 we want to move the engineering capacity a bit farther out. There is a lot of enthusiasm within Tor for hidden services but we need funding and more high level developers to build the next generation. 3. What are some of Tor's plans for mitigating attacks? The CMU attack was fundamentally a "guard node" attack; guard nodes are the first hop of a Tor circuit and hence the only part of the network that can see the real IP address of a hidden service. Last July we fixed the attack vector that CMU was using (it was called the RELAY_EARLY confirmation attack) and since then we've been divising improved designs for guard node security. For example, in the past, each onion service would have three guard nodes assigned to it. Since last September, each onion service only uses one guard node—-it exposes itself to fewer relays. This change alone makes an attack against an onion service much less likely. Several of our developers are thinking about how to do better guard node selection. One of us is writing code on this right now. We are modeling how onion services pick guard nodes currently, and we're simulating other ways to do it to see which one exposes itself to fewer relays—the fewer relays you are exposed to, the safer you are. We’ve also been working on other security things as well. For instance, a series of papers and talks have abused the directory system of hidden services to try to estimate the activity of particular hidden services, or to launch denial-of-service attacks against hidden services.We’re going to fix this by making it much harder for the attacker's nodes to become the responsible relay of a hidden service (say, catfacts) and be able to track uptime and usage information. We will use a "distributed random number generator"--many computers teaming up to generate a single, fresh unpredictable random number.  Another important thing we're doing is to make it impossible for a directory service to harvest addresses in the new design. If you don't know a hidden service address, then under the new system, you won't find it out just by hosting its HSDir entry. There are also interesting performance things: We want to make .onion services scalable in large infrastructures like Facebook--we want high availability and better load balancing; we want to make it serious.[Load balancing distributes the traffic load of a website to multiple servers so that no one server gets overloaded with all the users. Overloaded servers stop responding and create other problems. An attack that purposely overloads a website to cause it to stop responding is called a Denial of Service (DoS) attack.  - Kate] There are also onion services that don’t care to stay hidden, like Blockchain or Facebook; we can make those much faster, which is quite exciting. Meanwhile Nick is working on a new encryption design--magic circuit crypto that will make it harder to do active confirmation attacks. [Nick Mathewson is the co-founder of the Tor Project and the chief architect of our software.] Active confirmation attacks are much more powerful than passive attacks, and we can do a better job at defending against them. A particular type of confirmation attack that Nick's new crypto is going to solve is a "tagging attack"—Roger wrote a blog post about them years ago called, "One Cell Is Enough"—it was about how they work and how they are powerful. 4. Do you run an onion service yourself?   Yes, I do run onion services; I run an onion services on every box I have.  I connect to the PC in my house from anywhere in the world through SSH—I connect to my onion service instead of my house IP. People can see my laptop accessing Tor but don’t know who I am or where I go.  Also, onion services have a property called NAT-punching; (NAT=Network Address Translation). NAT blocks incoming connections;it builds walls around you. Onion services have NAT punching and can penetrate a firewall. In my university campus, the firewall does not allow incoming connections to my SSH server, but with an onion service the firewall is irrelevant. 5. What is your favorite onion service that a nontechnical person might use?  I use ricochet for my peer to peer chatting--It has a very nice UI and works well. 6. Do you think it’s safe to run an onion service?  It depends on your adversary. I think onion services provide adequate security against most real life adversaries.However, if a serious and highly motivated adversary were after me, I would not rely solely on the security of onion services. If your adversary can wiretap the whole Western Internet, or has a million dollar budget, and you only depend on hidden services for your anonymity then you should probably up your game. You can add more layers of anonymity by buying the servers you host your hidden service on anonymously (e.g. with bitcoin) so that even if they deanonymize you, they can't get your identity from the server. Also studying and actually understanding the Tor protocol and its threat model is essential practice if you are defending against motivated adversaries.7. What onion services don’t exist yet that you would like to see?  Onion services right now are super-volatile; they may appear for three months and then they disappear. For example, there was a Twitter clone, Tor statusnet; it was quite fun--small but cozy. The guy or girl who was running it couldn’t do it any longer. So, goodbye! It would be very nice to have a Twitter clone in onion services. Everyone would be anonymous. Short messages by anonymous people would be an interesting thing. I would like to see apps for mobile phones using onion services more—SnapChat over Tor, Tinder over Tor—using Orbot or whatever.  A good search engine for onion services. This volatility comes down to not having a search engine—you could have a great service, but only 500 sketchoids on the Internet might know about it. Right now, hidden services are misty and hard to see, with the fog of war all around. A sophisticated search engine could highlight the nice things and the nice communities; those would get far more traffic and users and would stay up longer. The second question is how you make things. For many people, it’s not easy to set up an onion service. You have to open Tor, hack some configuration files, and there's more.We need a system where you double click, and bam, you have an onion service serving your blog. Griffin Boyce is developing a tool for this named Stormy. If we have a good search engine and a way for people to start up onion services easily, we will have a much nicer and more normal Internet in the onion space.  8. What is the biggest misconception about onion services?  People don't realize how many use cases there are for onion services or the inventive ways that people are using them already. Only a few onion services ever become well known and usually for the wrong reasons. I think it ties back to the previous discussion--—the onion services we all enjoy have no way of getting to us. Right now, they are marooned on their island of hiddenness.  9. What is the biggest misconception about onion services development? It’s a big and complex project—it’s building a network inside a network; building a thing inside a thing. But we are a tiny team. We need the resources and person power to do it.  

(Interview conducted by Kate Krauss)


November 17, 2015


Great article! I assume soon to see at least 100 twitter clones and still no _good_ search engine (to be fair, the current ones are pretty good for what they are)

Some yes, i am at work and cant look for the next hours but there have been at least 3 search engine releases in the last half year on /r/onions. Next to that there is Torch and Not Evil


November 17, 2015


brillant ! hope this means we get some updated tutorials on the various magic stuff that can be done with hidden services.


Great work Kate. Thank you for the write up. As it is said 'if you build it, they (programmers) will come."

I, myself will be sure to work on this effective immediately.

Carry on!


Ricochet is sublime.

Great content. Thanx so much for your work.

something is wrong with onion service , it is not so secure & safe that it claims it !
most of time, i cannot access at the onion site of my choice.
are the server compromised or is it prohibited from my isp / rogue-state_country ?
i do not know....

"rogue-state_country" Hmm...

Great interview! a decentralized Bitcoin-Fiat (or Bitcoin-Altcoin) exchange is using Tor Hidden Services as base for its P2P network (using a flooding algorithm). It is still under development but should be released in january.

Links to some useful hidden services.


"Since last September, each onion service only uses one guard node—-it exposes itself to fewer relays."

Do you have reference for this? Where can it be checked?

Is having one guard just for the HSes running on post-Sept2014 Tor releases or does the network force it for all hidden services?

The nework forces it for all hidden services by setting the NumEntryGuards consensus parameter to 1.

Any Tor version above understands the NumEntryGuards parameter and switches to 1 guard.

'NumEntryGuards NUM' - where is the restriction for NUM be in 0...1??? Or you are just joking?! I don't believe network are turned to FORCE clients behavior and tor have some hidden ways to change clients configuration file. Consensus is just a recommendation.

I see in cached consensus that "NumEntryGuards=1".
However, Tor specification still insists that default value is 3:

Am I looking in the wrong spec?

Why all the comments disappearing?

So in otherwords there is no workaround or stop for guard node intrusion currently?

How prevenlant can we expect this to be?....realsitically as posssible please.

The more I research Tor, the less secure it is in my mind.

You can always buy a vps and run a published tor bridge relay and just use that bridge as your guard.

There is trouble with comments because someone is spamming us with comments, and is filling up the database making it hard to spot valid comments and approve them.

I'm not sure what you mean by "guard node intrusion", but in general it's very hard to _completely stop_ guard node attacks in low-latency scenarios. This is because hidden services use long-term connections (that's how the web works) and hence they need to connect to a relay which learns their IP.

This is almost unavoidable with the current architecture of our onion routing. The question then becomes "how can we minimize the number of relays that get to see the IP of the hidden service". If we minimize this number, and assuming we have enough relays on the network, these attacks should be very unlikely. We are working on this these days!

There is trouble with comments because someone is spamming us with comments, and is filling up the database making it hard to spot valid comments and approve them.

I think that there is also other problems, because there is empty comments with date December 31st, 1969.

I think that this date is "-1".

> The more I research Tor, the less secure it is in my mind.

Well, don't confuse the issue of safeing this blog against spammers (which the Project has stated is a low priority) with keeping Tor itself and TB and TM safe, which are completely different things. If you read this blog carefully over the next few months, you'll probably begin to understand why things are not nearly as bad as your first impression might have led you to believe.

Tor Project faces many threats from many determined and capable adversaries, but the core software (Tor itself) has many strengths and has proven amazingly resistant to all but a handful of known attacks. When effective attacks have come to light, the Project has almost always been able to fix them quickly. The ones it can't fix easily mostly involve things like PKI and rogue CAs which are too big for Tor Project to address alone, but even here the wider community is more and more determined to force internet vendors to fix these problems.

fter accessing some specific websites you can notice the search bar displays a plus sign green icon, if I click and add this engine to my Tor Browser, would it track and log every time I use the function? The search provider knows the user when the user added its search addons and by later changing the search code and the user dosen't add its new code. From the keywords you have seached by its addons which provides the specific code so the provider may get your important personal informations.

firefox feature. I never knew what that was. now i see, when i click it.
it looks like you can add a search engine to searchplugins in the profile directory (folder). if true, then the new search plugin will be a new xml file, which you can read and edit with text editor.

> the new search plugin will be a new xml file, which you can read and edit with text editor.

What worries some users is the possibility that website operators might be able to exploit a vulnerability in FF (which might also be present in TB) to also read and edit, and perhaps to recover a web-surfing log of the current TB instance.

This is probably less likely with Tails, but in the absence of informed comment I worry that it could be problem for TB.

Do the TB devs have any comment?

They definitely won't have any comment here (on this unrelated blog post). I suggest asking them in a venue where they're paying attention.

From my cursory look at the thread here, I don't see how adding another search option has anything to do with keeping a websurfing log.

> I don't see how adding another search option has anything to do with keeping a websurfing log.

I've noticed that some websites seem able to fiddle with TB to set their favorite search engine (e.g. the duckduckgo icon appears) and that worries me. (It's not the choice of search engine which worries me, it's the impression that the website can reset at least some TB settings.)

If you can track down details, please open a ticket in trac!

Can I do that anonymously, without an email account? What link should I look at? Problem might be moot now that seems to be blocking Tor.

Can you file a ticket anonymously? Yes. and login as cypherpunks if you like.

Nice interview and good job pointing out the need for some more easy to set up software and especially the blogging part.

If there was a secure and easy to set up onion blogging platform, even without all the bells and whistles, that would be a great step forwards for freedom of speech.

i believe it is as simple as :
1)get hardware
2)install/load (as example) freebsd in memory (use your notebook etc)
3)fill disk(s) with random data (if you need permanent storage)
4)encrypt full disk(s) with geli
^ one time only steps ^
5)install virtualbox
6)create firewall-vm, tor-vm, blogging.platform-vm
for more details use your brain and enjoy
hard reset and there are only disks with random data...
(just one small problem with geli and ...)
all steps needed to reboot can/should be scripted.
as you are the only person who knows the passphrase and has the key file for geli nobody but you can reactivate this platform.

FreeBSD is not simple for most people. Also, he wanted a secure blogging platform. FreeBSD does not even have upstream ASLR yet.

And isn't FreeBSD tied to NSA? Isn't OpenBSD more secure?

That asked, I support the Diversity Project.

Thanks for the reply asn. I really hope something comes to a viable fruition. It's disconcerting using Tor even with Tails after reading about these attacks.

The commenter's suggestion on the vps sounds interesting though. Thanks

Assuming you are both talking about what I know as VPNs, these can be useful, but when it comes to cybersecurity, there are no magic bullets. You may want to look up NSA/ANT's FEEDTROUGH malware targeting VPNs using commercial devices sold by Juniper, which may well be the "unauthorized code" discussed in this story:…
“Unauthorized code” in Juniper firewalls decrypts encrypted VPN traffic
Backdoor in NetScreen firewalls gives attackers admin access, VPN decrypt ability.
Dan Goodin
17 Dec 2015

> An operating system used to manage firewalls sold by Juniper Networks contains unauthorized code that surreptitiously decrypts traffic sent through virtual private networks, officials from the company warned Thursday.

Is there a way to donate directly to the hidden services development team?

If theres one thing the recent terror attacks in paris have shown us, its that the big bad fearsome five eyes are completely impotent to track known terrorists over unencrypted channels much less crack Tor. Hell even the FBI went to a university for help, not the NSA with its multibillion dollar budget and unfettered access to all the worlds communication lines, no, a university whose budget is 1/1000th of that with access to nothing.


click on donate page , voila !

i enjoy they cannot track down a person ; it is not pathetic : a government ' project is done for obtaining a budget not a success _ every enterprise has this policy.

i hope that this little attack has not damaged / corrupted a server/pc or a cable ... it should have been a nightmare if it had been a magnetic attack : oops general kernel panic for all tor users.

> it should have been a nightmare if it had been a magnetic attack

You mean exploiting stray electromagnetic emanations from operating electronic device? (Countermeasures well outside the ability of the average citizen or small business are sometimes called TEMPEST.)

Is bombing foreign houses from air not a terrorists' action? And who sells you pr about five eyes tracking terrorists they are tracking you and only you... and why do you think paris gov in first place decide to participate in air bombing? Isn't it because some paris politicians have been blackmailed by nsa agents? Someone believes info in dbs selfdestructing the moment he/she became politician...
How much money do you think domestic agencies will get tomorrow for spying on locals? Guess who is getting benifits from this accident. the price of the apartment in paris will decrease like after the 11th at ny.
but who was the target at ny and paris -except this supposed economic trick- ?
it was not hillary (so it happened with her agreement) it is not holland or the mayor of paris (so it happened with their agreement) ...

> Isn't it because some paris politicians have been blackmailed by nsa agents?

Don't know, but USIC agencies such as CIA have for decades used the illegal fruits of NSA targeted surveillance to bribe not just French, German, Pakistani politicians, etc, etc., but also American politicians.

In past decades, US Presidents sometimes decided that using NSA surveillance for political purposes was beyond the pale, but the last President who felt that way may have been Lyndon Johnson. I recall an incident which a occurred a few days before Nixon's electoral victory. NSA brought Johnson intercepts proving that Nixon, with the connivance of the socialite and conservative political operative Anna Chennault (widow of Flying Tigers general Claire Chennault), had been conspiring with the North Vietnamese, a nation with which the US was then in a state of undeclared war, to ensure the defeat of the Democratic candidate. So Johnson had been handed proof that probably could have been used to convict Nixon of treason, a capital crime. Johnson wrote a blistering personal letter to Nixon, but decided it would be improper to disclose the intercepts.

I wish current political leaders understood that good intentions do not justify illegal actions, that one traitorous act (Nixon's) cannot be used to justify another.

Former CIA director: ‘We kill people based on metadata’


Your link does not learn us nothing more we do know yet since a long time : an ( us ) citizen does not exist in the usa and for the usa.
We are a coin, a billet , a market, a network where every hand, word, fingerprint become a link and all these links are the way (your genuine and private life) to make money ; you create your life and they collect the result ... before you if they know how, who, why ...
Their job is the same than the bank do , the reason is they do want LIKE YOU a very good standing without sharing.

*i will add that i should appreciate that you stop trolling with irrelevant arguments mixing false opinion and hateful propaganda. _ REMEMBER NAZI GERMANY ELIMINATING ALL THE NON-CRIMINAL JEWS? _ lol ,


It's YOU who knows but not millions of dumb internet walkers. And how many anti-troll comments you have writen to pr news agencies which told the same things all the time? Don't try to shut up his mouth nobody will try to shut up yours.