Tor's Fall Harvest: the Next Generation of Onion Services

Hello friends!

We are hyped to present the next generation of onion services! We've been working on this project non-stop for the past 4 years and we officially launched it two weeks ago by publishing our first alpha releases.

What's in an onion?

We are assuming you are familiar with traditional onion services: fun little sites that look like nytimes3xbfgragh.onion. This weird variety of onions has been around for over 10 years and is used for all sorts of things. Here are just some examples:

  • news organizations use them for private information disclosure (see SecureDrop)
  • websites use them to defeat censorship and provide a secure gateway for their users (e.g. ProPublica)
  • the cryptocurrency ecosystem uses them to perform private transactions and mining
  • people use them for their reachability and permanent onion address if they are behind NAT or dynamic IP

We believe that being able to express yourself and publish content with privacy is as important as being able to browse the web privately, and hence we consider onion services a critical part of the internet.

What's ripe?

As previously mentioned, the legacy onion system has been around for over 10 years and its age has started to show. So let's get a taste of the improvements these next generation onions provide us with:

On the cryptography side, we are looking at cutting-edge crypto algorithms and improved authentication schemes. On the protocol end, we redesigned the directory system to defend against info leaks and reduce the overall attack surface. For example, did you know that in the legacy onion system, the network could learn about your onions? However, with this next-generation design, your onion address is completely private and only known to you and whoever you choose to disclose it to.

Now, from an engineer's perspective, the new protocol is way more extensible and features a cleaner codebase. And finally from the casuals user's PoV, the only thing that changes is that new onions are bigger, tastier and they now look like this: 7fa6xlti5joarlmkuhjaifa47ukgcwz6tfndgax45ocyn4rixm632jid.onion. For more information on the nitty-gritty details, please check out our technical specification.

All in all, the new system is a well needed improvement that fixes many shortcomings of the old design, and builds a solid foundation for future onion work. For more information, please check out our latest alpha Tor Browser release and try it out. You can also setup your own onion service and escape the legacy system for good.

New Features Are Yet to Come!

This is just the beginning, so let's talk about the future.

As the current code stabilizes further, we plan to add features like offline service keys, advanced client authorization, a control port interface, improved guard algorithms, secure naming systems, statistics, mixed-latency routing, blockchain support, AI logic and a VR interface (j/k about some of these). We are planning to take it slow, since there is lots to do and many bugs to squash.

Furthermore, we don't want to destabilize the current onion community and so we are not planning to kill the legacy system just yet. As a matter of fact, the legacy system will remain the default option for some more time, while the userbase migrates to the next generation and as we kill bugs and write features. After a while, we plan to push the switch and make the next gen the default. Then in a few years and if the community welcomes the change, we will phase out the legacy system entirely, and let it lie in eternal internet history... but that's not really soon :)

Help Us Grow!

There are tons of things that need doing and not too many of us! Help and funding is always appreciated.

Are you a project or a company that depends on onion services? Get in touch if you'd like to sponsor us to work on onion services to make them faster, slower, or stabler.

We also need coding help. Are you a computer daredevil? Do you see your life as a protocol in need of optimization? Do you believe in the cause? The first step is to visit our humble test hub and start looking at our code and spec. We have lots of open tickets and a plan forward so get in touch! 

And please don't forget to donate to The Tor Project. We are a small team of motivated individuals taking a stand against tracking, surveillance, and censorship, and we hope you'll join us. 

We Are Happy Farmers

Finally and before closing this post, the Tor onion services crew would like to extend a huge thank you to the people who made this project a reality.

From initial idea to design to code, we would like to express our gratitude: Nick Matthewson (nickm), Roger Dingledine (armadev), Ian Goldberg, Paul Syverson, Aaron Johnson, Tim Wilson-Brown (teor), s7r, karsten, special, haxxpop, Yawning and the whole Tor Browser Team.

During the testing phase (still ongoing), many volunteers showed up and helped us greatly by reporting bugs to us: loisiqr, cathugger, willscott, epi, micah, pastly, ahf and hellais, and all the people from the test network.

This project started 4 years ago so this can NOT possibly be all the people who helped out so sorry if we forgot about you. It was and still is a humongous team effort coming from the entire spectrum of the Tor community.


Thanks for reading and we are happy to welcome you to this new part of the internet! :)

Anonymous

November 02, 2017

Permalink

Good job , hope the default tor router , tor note book , tor mobile phone and tor watch likes NYSE:AAPL to increase market share

Anonymous

November 02, 2017

Permalink

and it will be ready in 5 years with a tor browser configured as a mini-firefox (more anonymous maybe but certainly less secure than mine).
your preference is your project : network & " market share " , tbb is far behind ...

Anonymous

November 02, 2017

Permalink

any plans at all on how to prevent hidden service DDoS attacks? you seem to ignore this issue. mitigating ddos is next to impossible on tor

Hey, unfortunately we haven't worked too much on this yet. Tickets #16052 and #16059 present some plausible approaches forward, but the truth is we need more help from the community in understanding how to handle these DoS threats better.

What about a a hashcash like system[0]? Letting users perform expensive hashes (ideally with a hash algorithm without mush advantage for specialized hardware) that are cheap to check at various location in the establishing of to the hidden service.

The hash shouldn't be replayable (i.e. to either the same node + same hidden service, different node + same hidden service, different node + different hidden service). I do not have the crypto background to suggest such scheme, I do expect such scheme should be possible.

Without to mush deep knowledge of the prop224 protocol I would imaging it would be useful to have the option to request each node that is part of the negotiation/establishing of the hidden service circuit on the hidden service's part. On top of my head this would include HSDir, introduction point and the hidden service's tor client itself.

By having multiple locations for enforcing expensive hashing may require control of multiple nodes to perform a direct Ddos attack, giving attackers without that capability the only option to indirectly Ddos the hidden service by Ddosing the relevant Tor nodes.

I would recommend enabling this with by default with a reasonable hashing difficulty (i.e. high enough to make it costly for Ddos but low enough to not slow down too mush even users with weaker hardware), this way all hidden services have some protection without standing out to mush. The default difficulty probably should increase occasionally to account for the increase of processing power. It might be a good idea to have different level standard level of hash difficulty like the security levels of TTB.

[0] http://www.hashcash.org/

Anonymous

November 03, 2017

Permalink

Those new addresses are really long. It doesn't even fit on my screen! and that's just the domain part. With the URI you'll run into problems where things like email clients will put line breaks in the url and break it. I have to say, this is not such an elegant solution. These will be impossible for surfers to memorize, so they'll have to do something compromising to find their sites. Impossible to even recognize, meaning easy victims to spoofing. The length of these addresses is absurd. Honestly, back to the drawing board.

Hello Viridian,

I think your concern is legitimate but I'm hoping it's not the whole picture. If there was an easy solution for shrinking down the addresses while maintaining security we would have done it of course.

Here are a few reasons we are hoping this is not as terrible as it may sound initially:
a) People don't memorize current onion addresses either. Even 16 chars are too much for a human brain to remember. People usually use bookmarks or write them to text files. Here is some survey data on this: https://lists.torproject.org/pipermail/tor-dev/2017-September/012464.ht…

b) Even normal website URLs can grow pretty big when you include the application data. Some websites add so much crap into their URI that 40 chars make no difference. So bad email clients will always break stuff regardless of the domain size.

c) We are hoping that in the medium-term future we will introduce features that will make the onion address irrelevant by providing some sort of human-memorable layer on top of it. Here is a blog post on this: https://blog.torproject.org/cooking-onions-names-your-onions .

Cheers!

These statistics are not calculated by the clients, but by the relays.

Your client will *not* upload any information at all. Instead, the relays could count how much hsv3 data go through them in a privacy-preserving way. For more technical info check how we are doing it for legacy onion services: https://gitweb.torproject.org/torspec.git/tree/proposals/238-hs-relay-s…

You can see the results here: https://metrics.torproject.org/hidserv-dir-onions-seen.html

People who don't get what differential privacy means won't get it, it's not the first that a privacy focused product gets those complaints, just see all the hysteria generated by Mozilla following an opt-out telemetry plan - not even put to practice ;)

Repeating the same thing is tiring : you are every user , that's the price and the benefit of the anonymity.
Indeed , YOU are a pedophile and drug seller/buyer like the pope is (accusing the others about your own activities is a devil attitude).

As of 2017 the "cyber-security as a service" industry/cabal has joined in the fray, attempting to make Tor less useful through default blacklists included in their firewalls. The Cloudflare captcha monkey business (AKA mass DDOS attack against human website visitors) might only mark the beginning of a larger trend. This industry as a whole is also spreading much misinformation. Notice how often we're being told that a large "percentage" (pretty meaningless measure) of Tor traffic is "malicious"? And how often they don't even "malicious" is not even defined?

That said, it's amazing how much public hysteria *against* privacy state actors manage to shore up at all levels and in every domain a mere 4 years after the true extent of mass surveillance was exposed. What's wrong with people nowadays? In many parts of the world (especially the relatively *safe* parts), they flock to the political parties that promise a maximum of surveillance and can't even see that the most serious threat to their security would be a technologically enhanced dictatorship and arguably we have already passed the brink, pushing the need to counteract to 100%?

I support Tor in multiple ways and will continue to do so no matter how much it is maligned (as if criminal activities didn't take place in real life, as if privacy - online, offline, everywhere - were something that didn't deserve maximum protection). Even when they eventually outlaw it in my country (seems unlikely at the moment). I suggest everyone do the same and find creative new ways to advocate for it and projects with similar aims.

well, it is a lot of noise for nothing : the more people use & participate at the project (tor & another) the more it is alive & strong.
- They admit a right when they cannot go against but a genuine, logical, cultural, 'reason' should sound as a non-sens, a provocation.
- Media is based on propaganda : it is an aggressive & hostile commercial war where make a fake is like at hollywood , a business.
Fake americans, fake guest, fake news, fake foss, fake vips, fake intelligence, fake female, fake danger, fake racial war, fake rich&poor stories, fake freedom/responsibility & fake security/privacy : as such that the real live begins on the net.
On the net , i need an anonymity (it was a weapon for the outlaws and it is now a power whom real persons depend on because they are the community, the society and the future of their countries ) and my security depends on every person who say 'no' at every step of a dictatorship.

* Malicious is a term for layer and it is also one of the eternal charm of the human being no ?

Anonymous

November 04, 2017

Permalink

I love the new improvements that you are adding but, may I ask, why do the onions have to be three times longer then they have to be? I realize that more and more domains are being taken up but, holy cow!

Anonymous

November 07, 2017

Permalink

For those of you using the non-exit onion-only bittorrent swarm networks, trackers, indexes and forums in OnionLand with your preferred torrent clients...
Don't forget that you will continue to need to use V2 onion services with OnionCat for the long term future. At least until the problem of V3 onions breaking OnionCat's function, and thus both IPv6 and UDP support for torrenting, is fixed by some future implementation that results in the same capabilities. This does not prevent you from using the new V3 client releases for your torrenting, provided those clients still offer legacy 80-bit V2 addressing support. If they drop V2, Tor will be patched or simply forked since the security and privacy levels of V2 are generally sufficient for everyday vanilla torrenting, ie: against the copyright cartel. Here is one related ticket: https://trac.torproject.org/projects/tor/ticket/23079

Anonymous

November 23, 2017

Permalink

During the past hour, I tried to access a website viz. www.victoryfortheworld.net from this browser, and received a message that my IP address had been blacklisted! Then I got a message that the site's bandwidth had been exceeded! I learned about this particular website through a radio interview I had downloaded featuring the vice president of Canada. Please help me understand the underlying reasons

Anonymous

January 12, 2018

Permalink

Now that a 3.2.* is stable is the next alpha going to switch repositories, to experimental-3.3.,,,,

??

Anonymous

January 13, 2018

Permalink

Sorry for dropping this in....I realize it isn't relevant to the current discussion, but I haven't seen it addressed anywhere and it concerns me. I'm concerned about all of this business with Specter/Meltdown and how it will effect Tor's anonymity. Is there a plan to update Tor's Firefox version with Mozilla's recent patches. I understand that some of the risk is being mitigated by reducing the timing accuracy of the FF browser. Does that make a difference for Tor?

Anonymous

January 28, 2018

Permalink

I seem to need help with your browser. I did the upgrade and when i star tor instead of getting the welcome page as usual all I get is a blank page. And I can not connect to any onion site, it just stays saying connecting. What did I do wrong, if anything?

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

10 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.