News Orgs & Activists: Onionize Your Sites Against Censorship

by steph | January 24, 2018

 

In many countries, censorship of websites with critical information or news is commonplace. If opinions, analysis, or facts contrary to the country’s narrative are published, repressive governments can quickly silence those voices by blocking access to those websites. 

For instance, in September 2017, one day after Human Rights Watch released a report on systematic torture in Egypt’s jails, Egypt blocked access to the HRW website, curtailing its people’s access to the report and leaving them uninformed about their own countries treatment of its citizens. Egypt has also blocked numerous news sites, including Al Jazeera, so when AJ reported on Egypt’s block of HRW after the report on torture was released, the most critical audience, the Egyptian people, were less likely to be reached.

Publishing a website using onion services over the Tor network is a way to circumvent many state-led methods of censorship. These website addresses end in the TLD .onion. Similar to how the https:// protocol of a website provides more security than the http:// protocol, an onion address also appears to be the same site but gives a visitor more privacy and security through end-to-end encryption and improved authentication. 

Visiting an onion address is easy. All that’s needed is Tor Browser (Tor Browser is built from Firefox and is similar to use); you visit the onion address in Tor Browser like you visit any web address. 

Here’s the onion address of torproject.org: http://expyuzz4wqqyqhjn.onion/ 

The New York Times has an onion address: https://www.nytimes3xbfgragh.onion/

So does ProPublica: https://www.propub3r6espa33w.onion/

Download Tor Browser and check them out.

If your organization’s site is already blocked anywhere in the world, or if you are calling out injustices, sharing state-suppressed resources, or just want to provide your site and users with better privacy and security, creating an onion version of your website should be your next step. 

Alec Muffett, a security researcher and longtime member of the Tor Community, has created the Enterprise Onion Toolkit (EOTK) to make it easier for you to give a public site a corresponding onion address. You can ping Alec on Twitter or join the EOTK mailing list if you have any questions about how to use it. 

We want a free and open internet for all, so let’s onionize and build it. 

Tags
onionize the web
onion services
censorship
Enterprise Onion Toolkit: EOTK
human rights
cooking with onions
k239

Anonymous (not verified) said:

January 24, 2018

Permalink

Remember: only HTTPS provides end-to-end encryption in web browser context.
Tor provides tor-to-tor encryption. Ask researchers to explain you the difference.

Onion Services this post is about are encrypted all the way to server even though the address bar reads http://something.onion. That doesn't prevent you from also adding TLS certificate, but related registration procedures -- especially if they require payments, can deanonymize you. This is dangerous if your intention is e.g. hosting controversial information about your government .

Old onion services use RSA1024 which is broken. So MiTM is possible.
Next Gen onion services rely on highly-criticized cryptoprimitives like NSA-backed SHA3 (Keccak). If it is broken - everything is broken.

Who have made this decision and why?

Tor Browser 7.5 is released | January 23, 2018
officially the sponsors & the giant of the net decide & the teams obey.
in fact it is a technical & a social problem :
- with a weak Tor, you do not drive the same clients ... the time has changed since 2013 & another client need another Tor & onion-network so they did it ...
- cryptography is a very difficult science and the *quantum issue is not solved ; the board of the tor-project take the decisions ... with the agreement of a lot of different actors whom govt/police one ...
sha3 is not broken & a quantum computer does not yet exist.
nsa has not built sha3 afaik : misinformation ?

Next-generation onion crypto replaces SHA1/DH/RSA1024 with SHA3/ed25519/curve25519. Many open-source projects prefer elliptic curves based on 25519 precisely because they were not influenced by NSA. As for SHA3, do you mean the capacity change controversy during the NIST hash function competition? Because NIST decided not to go through with it. "In response to the controversy, in November 2013 John Kelsey of NIST proposed to go back to the original c = 2d proposal for all SHA-2 drop-in replacement instances. These changes were confirmed in the April 2014 draft. This proposal was implemented in the final release standard in August 2015."

Or is there something else?

> Who have made this decision and why?
It's called proposal 224 (prop224).

> registration procedures -- especially if they require payments, can deanonymize you
JavaScript alone has the potential to deanonymise you. If you set up an onion service, consider making it a static site or minimizing how much JavaScript it loads. If you are browsing websites, remember to set the Security Settings slider to Safest (High in old versions).

JavaScript alone cannot deanonymize you unless there is a bug in your browse.r As for using JavaScript on an onion site you are setting up, you can use Content Security Policy to effectively eliminate the risk of XSS.

Schematically (and oversimplifying):

Connection via Firefox to an http website:

DNS server <--> ISP <--> your computer <--> ISP <--> their webhost <--> website

ISPs (and governments) can see which sites you visit and what content you view, what you enter into webforms, etc.

Connection via Tor Browser to an http website:

your computer <==> your ISP <==> entry node <==> relay node <==> exit node <--> site

where <--> unencrypted and <==> encrypted.

ISP can see you are using Tor, but not which site you visit. Global dragnet can see that someone is exiting from a particular exit node and viewing particular pages at the website, and sophisticated attackers (e.g. NSA) can probably figure out you are the one looking at this content. Or maybe not.

This blog uses software which hates ASCII art, but there should also be an unencrypted connection from the exit node to a DNS server, via the exit nodes ISP. So some ISPs and goverments can see someone is visiting the website. amd what content is viewed, but wont know who or where you are. We hope.

See eff.org for a better diagram which also explains the encryption layers which define the "onion" concept.

Connection using Firefox or another modern browser to an https website:

DNS server <--> your ISP <--> your computer <==> your ISP <==> site

So the fact that you visited the website is visible to many including your ISP (in USA, your ISP can sell information about what sites you visit), but what content you viewed (on a large https site) may not be visible to non-state-sponsored attackers (e.g. your ISP). Webhost might be able to see what content you view, but not to know who or where you are. We hope.

Connection via Tor Browser to an https website:

your computer <==> your ISP <==> entry node <==> relay node <==> exit node <==> website

(There is also an unencrypted connection from exit node to a DNS server, via your ISP.)

So your ISP and maybe even your government can tell that you are surfing, but not what sites you visit nor what content you view. We hope. The exit node's ISP can see that someone is visiting the site, but won't know who or from where. We hope.

Now please explain your point.

or facts contrary to the country’s narrative are published, repressive governments can quickly silence those voices by blocking access to those websites.

Sounds like you're describing a la lettre the US government and its war on whistleblowers

Hurrah! Hurrah! Hurrah!

Three thousand thanks to everyone involved in this drive! It is something I have hoped to see for some time and I hope it will be great success.

One (nonpartisan) news site which is often read by US Congress staffers (and lobbyists!) is thehill.com, which currently does not even have https but which really needs to offer an onion. I suspect The Hill would be happy to trial an onion if you approach them, and it will certainly be interesting to see how the surveillance hawks react.

I have also, at some risk to myself from unhappy Feds, urged activists groups for years to strengthen their cybersecurity. Until a year or so ago, too many did not want to believe that companies exist which target activists for large corporations, but as major news organizations become more willing to publicize such incidents as Big Soda hiring malware-as-a-service companies to target soda tax activists in MX (and very possibly also in USA), I hope and believe that a sea change is occurring in terms of how activists judge the likelihood that they will be subjected to targeted malware attacks, illegal searches, various kinds of federal harassment, etc.

Also, a shout-out to ProPublica for awesome journalism (their incisive statistical critique of COMPAS is just now getting more attention!) and for being an early adopter of the onion! More stories on the dangers of algorithmic governance, abuses of Big Data, and psuedoscientifically
"validated" [sic] "objective" judgements by neural network or whatever. Please keep trying to explain over and over why no defense lawyer can cross examine the typical machine learning algorithm, and why that's a huge problem for future victims of the US "Justice" [sic] system.

thehill.com should fix its javascript first. A single tab has my 6-core cpu constantly over 20%, and the website is full of javascript trackers and analytics (look at the NoScript menu when TorButton's security slider is in Safe/Medium mode). Since non-HTTPS clearnet traffic such as theirs doesn't hide the full url from intermediate observers, anyone sitting between you and them (or between you and the third-party javascript hosts or wherever the javascript sends its data) can trivially record what you choose to click, read, and hover your mouse over on that website and over time develop a profile of your identity. There is no good excuse for a high-traffic website on the clearnet not to have HTTPS anymore. SSL certificates can be registered for cheaply (shop around) or for free (for example, through Let'sEncrypt.org).

Most sites on the web list a Contact page in their footers, and The Hill does too: http://thehill.com/contact I think emails from their readers and contributing columnists would be more effective to persuade them than if Tor Project approached them. Their readers could show them this blog post for example.

This is a very important and welcome campaign and I wish it every success. I urge other Tor users to take any opportunity to try to urge reporters they encounter to ask their editors to consider implementing an onion.

One other urgently needed area where I think onions can play an invaluable role is in open-source software repositories. As you know, Tor Project and Debian Project began offering onion mirrors for the Debian repositories back in 2016 (and have also collaborated on reproducible builds and other critically important security-enhancing initiatives), and as you know, there have been some problems reported with the onion mirrors for Debian, but I urge Tor and Debian to work to fix those not to axe the collaboration! We know from several NSA documents leaked by Snowden that NSA (and other such) routinely target software downloads of legitimate software security patches by specific users, inserting malware "on the fly", sometimes even going so far as to "sign" the modified software with stolen credentials. Onions can make it much harder for such agencies to target individuals, and if they try to bork the computers of all Debian users (for example) they are much more likely to get caught, even to find that their malware has been capture, reverse engineered, and published, possibly with credible attribution to themselves. Therefore, onions not only increase the security of fetching security patches but can potentially cause the bad guys to reconsider the wisdom (from their point of view) of relying so heavily on state-sponsored malware to spy or worse.

You probably do not need me to suggest specific open source software repositories; the ones with the most software and the ones which are most used are obvious candidates. Don't neglect sites which specialize in STEM (Science Tech Engineering Math) software because we know from reputable security firms and other credible sources (e.g other Snowden leaked documents) that scientists are routinely targeted, and their dangers they face from state-sponsored attackers is clearly rapidly increasing in an age when fundamental science (climate science to name just one) is under intense political/legal attack by powerful enemies.

To append on your paragraph about repositories... Tor Project, please mention your repository's onion service address in your installation FAQ documentation:
https://trac.torproject.org/projects/tor/ticket/19801
"Opened 18 months ago"

Also update https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor

Some security websites let people login under a public "cypherpunks" account if they don't want to register a name for themselves. On Tor's trac site, the username is "cypherpunks", and the password is "writecode".

Anyone can update that page, but it won't accept new URLs. Annoying.
"Submission rejected as potential spam
Maximum number of external links per post exceeded"
For now, you can circumvent it by replacing "://" in the URLs with ":!!"

That link should be put in the OP. A large list convinces more people.

Оооо.... Torproject начал заниматься пропагандой и рекламой The New York Times. Печально (((

you are laughing at us : posts are heavily censored on your own blog , this one (TorBlog https://blog.torproject.org ... onion address ???)
> We want a free and open internet for all, so let’s onionize and build it.
< ' We ' without yourself & the tor team/support_ers ???
the comments are not published : it is censored at 90 % !

"Here’s the onion address of torproject.org: http://expyuzz4wqqyqhjn.onion/ "
Ok, where is the onion address of this blog? Links on torproject.org to this blog undo the .onion protection.

one cannot post using onion address.
the article is about onion site and they do not provide one !
https://blog.torproject.org/news-orgs-activists-onionize-your-sites-aga…
against censorship ???
i never see a blog so heavily neglected/censored where the dialogue is discarded and the propaganda/misinformation strongly supported : these female voices make me crazy !

"creating an onion version of your website should be your next step."

Please add next-generation onion services to that guide.

I'd like to make a suggestion for a possible future brainstorming session at an NYC Tor meetup:

It is not inappropriate for brainstorming sessions to be more ambitious than codefests, and in that spirit:

When we think about how USG or another government might try to coerce a backdoor into Tor and other software which uses strong cryptography, we usually think of USG serving an NSL letter with an eternal gag order and a threat of indefinite imprisonment in a coffin-sized "black site" prison cell. But USG or another government could also try to coerce hardware providers into putting a backdoor into hardware, which could be difficult to defend against by technical means available to Tor Project devs, since "bare hardware" trumps even a "hardened" OS such as Tails. Is there anything we can do, technically and/or socially, to make it harder for a government to get away with coercing a chip maker in this way?

Another nightmare scenario, all too plausible in some parts of the world, involves "security authorities" with coercive access to the "command center" ("Head End System") of an "urban smart grid" to send commands to a specific smart meter which degrades or even shuts off the power to a particular household which the authorities wish to target. For example, power variations could perhaps be used to confirm that someone whom a sophisticated intelligence agency already knows is currently using Tor (because they saw recent connections to a Directory Authority) is the particular Tor user who is viewing particular content at the other end of a particular Tor circuit the spooks are watching. Or the cyberwarriors might wish to damage or destroy a targeted PC while it is in use. It is clear that many, even most, governments are eager to do such things, differing only in how they define "objectionable" on-line activity.

In some countries, a single command center controls the power grid of numerous cities, possibly even cities in different countries. It is widely agreed that the Russian government has cyberattacked the Ukraine power grid, shutting much of it down on at least two occasions. It may alarm US citizens to learn that Mosenergo, the Moscow power utility, uses a grid build by Landis+Gyr, as do numerous US cities. So the Russian government hardly need exert itself to obtain manuals and the actual gear which should be useful for developing cyberattacks on the US grid. Apparently in recognition of the increasing danger of such cyberstrikes, the Pentagon just announced it will retaliate with nuclear weapons against any attack on "critical infrastructure", which the DHS says includes power grids.

Snowden leaks suggest that GCHQ is very proud of a "computer network action" (cyberwar action) which appears to involve PLC (power line carrier) communications, in which commands are sent over a power line to suitable gear, which apparently can be used to obtain cryptographic keys. Because some smart grids apparently use PLC communications to send data from individual meters up to command center and to send commands down to the meters, this scheme may involve obtaining keys needed for GCHQ to take control of a power grid.

But could US or RU coerce makers of laptop and smart phone batteries to quietly introduce PLC (power line carrier) communication modules which could potentially enable "security authorities" with coercive access to "smart grid" "command centers" (such as the Landis+Gyr command center in Kansas City, MO) to take control of batteries as they are being charged in a "targeted" household? Or to coerce makers of UPS (uninterruptible power supply) gear to include modules which can act on PLC commands to behave abnormally, damaging phones and other electronic equipment in a targeted household?

In the US, "red" elements of the US federal government have recently been caught demanding lists of all households in certain "blue" cities which happen to be occupied by families with Hispanic surnames. Using their coercive access to utility records, it would then be very easy for them to add to these lists the unique machine ID of the smart meter which the utility has installed in each targeted household. (Malicious shutoff commands would be addressed by this unique machine ID.) This suggests that the future of genocide might begin with a government forcing "smart utilities" to selectively shut off power, water, and POTS/mobile phone service to a targeted ethnic group, or members of an oppositional political party.

IMO we should be thinking about how we can possibly try to prevent such horrid scenarios from ever being realized. It seems pretty clear that some governments have the intent, so we must try to ensure that they lack the capacity.

Is it possible that in future, OONI volunteers might be provided with suitable software which could possibly detect that suspicious PLC commands are being sent over a household power line? This might provide early warnings that some government is preparing for an attack on targeted individuals, or even a genocide against some targeted group of citizens.

This is not a risk at all. Comms over power lines don't pass through transformers, which includes the transformers in your house. It can go outlet-to-outlet (usually), but it can't even go house-to-house in most circumstances, and certainly not all the way from the grid.

Not to mention, "smart" devices do not necessarily listen for PLC commands.

These should be of interest to anyone concerned about USG dragnet surveillance:

https://www.washingtonpost.com/news/posteverything/wp/2018/01/25/how-to…
How to fight mass surveillance even though Congress just reauthorized it
What the battle looks like after Section 702's reauthorization
Bruce Schneier
25 Jan 2018

http://thehill.com/policy/cybersecurity/370709-wyden-blasts-fbi-chief-o…
Wyden blasts FBI chief over encryption remarks
Morgan Chalfant
25 Jan 2018

sorry for our lack of intelligence :
- http://thehill.com/policy/cybersecurity/370709-wyden-blasts-fbi-chief-o…
is an insecure link (no https).
- https://www.washingtonpost.com/news/posteverything/wp/2018/01/25/how-to…
repeats the same things since 30 years.
it is not a matter of to be concerned , these laws are approved by more than 50% of the population ; they like survey because they do not want that their wallet & their paradise become the propriety of the refugie/european union (arab_communist_rogue-states_barbarians).
The United States of America is built on this value : us first !
Trump do softly than another did cruelly & with pleasure. i do not appreciate this harassment (yours : a pseudo-political_involved_activist post) where walking on the right side means to be 'stupid', the will of the people is a sovereign decision.
thanks.

could someone answer at these noob questions ?
- is 501(3) a public or a private organization ?
- are the users under the u.s jurisdiction when they run/surf on Tor/onions ?
- are we a 'virtual' justification for your exemption ?
- if we are virtual american citizen ; what is the reason why we are not protected by the same laws than yourself ?
- if we are anonymous citizens which do not need to be 'registered' but do profit of your labor, time, money why are you working for us ?
- does the 501 status allow you to be outside of the trouble of a normal life, to not be concerned ?
thx.

We need to over come not elected not democratic government of Iran. We must all unite in Iran to over come all censorship. We must end to the occupation of Arabs in my country. We want freedom justice night clubs Vodka and disco, my massage to ayatollahs are get hell of my country now or we will make you sure same thing as Hitler and Pinochet Argentina happened to you. Long Live freedom democracy and Vodka and hell to all fags regime of Iran.
ما باید بیش از پیش منتظر بمانیم نه دولت دموکراتیک ایران. ما باید همه را در ایران متحد کنیم تا سانسور تمام شود. ما باید به اشغال اعراب در کشور من پایان دهیم. ما خواهان آزادی عدالت، باشگاه ها ودکا و دیسکو هستیم، ماساژ من به آیت الله ها اکنون از کشور من به جهنم می آید یا شما را همانند هیتلر و پینوشه آرژانتین به شما تحمیل می کنیم. آزادی دموکراسی طولانی مدت و ودکا و جهنم به همه رژیم های فاج ایران.