Hidden Services, Current Events, and Freedom Hosting

Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.

EDIT: See our next blog post for more details about the attack.

Philip Angus Nunes

August 04, 2013

In reply to by Anonymous (not verified)

Permalink

Whonix is neither Window, nor does it know your home IP, so in theory the VM should not be able to disclose it through this security issue. The code is still beging examined at the time of me writing this though, so I suppose we cannot be 100% sure of what this could affect.

The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7. The vulnerability used is MFSA 2013-53

People who are on the latest supported versions of Firefox are not at risk.

Although the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack.

Philip Angus Nunes

August 04, 2013

Permalink

they only shut down the biggest pedo host in the tor world.

No they didn't there are sites that have more GB's than everything combined on "Freedom Hosting" and "Freedom Hosting" had also a lot of legit sites like TorMail.

Philip Angus Nunes

August 06, 2013

In reply to by Anonymous (not verified)

Permalink

I think they targeted FH because it would inflict the most noticible, immediate damage on the Tor network.

I hope my Tormail address is not gone permanently.

So what does this mean for the people who legitimately used TOR mail for social purposes, and had nothing to do with the criminality in question?

That's probably why FH had so much of it. They used TorMail and other legit sites as a cover if you will. (Sorta like Prohibition-era mobs running speakeasies beneath, say, bookstores)

They have also revealed a Firefox exploit which presumably affects the tor browser bundle. That's the relevant news here. We've got to know about that exploit, so now we can expect that bug in Firefox to be fixed.
Also it's a nice reminder: web browsers tend to have critical bugs in them. JavaScript engines are becoming more and more complex, and thereby the number of critical bugs in them grows continuously.
Of course, there is nothing really surprising in this. Like most developers, the guys developing Firefox tend to focus more on implementing new features and improving performance than on making their product as secure as they can make it. It is just more fun to do something that has some effect on the user experience than to review lots of code.

> It is just more fun to do something that has some effect on the user experience than to review lots of code.
Yup. As funny as running firefox on 512MB-machine with slow CPU, or even building\installing 100+ dependencies. And with no alternative, since rendering engines nowadays are also complex and fat, which automatically increases entropy, i.e. increases probability of a bug.

Firefox binary is larger than my system kernel.

What about Midori and QupZilla?

Anyone who's used these delightfully fast and light browsers would surely understand my wishing that one of them could be adopted for Tor use (as well as be made to be at least as secure as Firefox for ordinary browsing; offer NoScript functionality, etc.)

So the canary died. And you sit in your coal mine with a smug grin on your face lighting your cigarette? Quite narrow minded if you ask me.

The canary did its job. Now, to work out how the canary might not have died, and adjust designs / practices accordingly. That's how these things work.

I'm minded to think that if an anonymous community arises such as the Tor hidden services community, that community can either police itself, or expect to be policed. We didn't bother worrying about the fact that Tor hidden services were being used for the distribution of child pornography, so someone else worried about it for us. Is everyone really that surprised by this?

I think it's more that we didn't worry that it *could* be policed... Time to change infrastructures to one they don't own.

/r/darknetplan

Best comment, by now!

The crux of the matter is the fact that many gullible people here and elsewhere haven't been caring about who runs, funds and developed Tor in the first place, and how those people are not what they pretend to be.

KP is an excuse. They just want to "regulate", and unless there will be sever push back, today is the first day of Tor's demise. So unless it will be fortified ten fold, Tor is done for, and it is time to develop new, secure, free world, detached from oppression of thugs.

Except in all likelyhood; the child porn servers were being run by the FBI themselves to discredit Freedom Hosting. It's not as if it has not happened time and time before:

http://www.breitbart.com/InstaBlog/2013/05/30/FBI-Ran-Pedophile-Ring-to…

It's a simple tactic; you try to pubically accuse person/company x of doing something society overwhelmingly condemn. In order to trash their public reputation; no one will then dare criticise the actions and the huge holes in the flawed accusation. For they will fear they will themselves be accused of condoning such activities person/company x was accused of.

No, the demise of Tor is not imminent. The Office of Naval Intelligence developed it, and the State Department uses it for diplomatic traffic. The U.S. government also promotes its use to oppressed populations (at least those we support) internationally. Tor is not going anywhere. Tor mail is another matter. That was probably the target.
Gnovalis

Absolutely. If Tor services can be compromised and shut down because of some illegal child porn activity that someone doesn't like and with it simultaneously shut down a lot of other sites not involved in child porn... then the Tor network can no longer be considered a safe option for whistle blowers, reporters, activists and others. This week, its child porn, next week it may be a whitle blower or an activist...

Basically, you're all morons.

Tor sights have never been immune to some of the most common attacks, such as DDoS attacks, and the fact you're connecting your web services (Apache+PHP+MySQL+Whatever else) to the clients via Tor does not automatically make those more secure, nor does it make the clients more secure.

Tor itself did its job. There is no reason to suspect that Tor is in any danger of compromise. The problem lies on both sides of the Tor connection.

Tor did its job?

The sole purpose of Tor is to provide anonymity, to both users and hidden service providers.

Now we know that users of Tor can be identified, and hidden servers aren't hidden after all.

I'd call that a big fat FAIL.

Pardon my french, but why do you assume that it is TOR that got compromised ?

For all we know, the feds might have broken into FH's servers (and out of any VMs FH might have employed for security) and leveraged this position to bypass TOR.

It's actually not even that hard - there's probably a lot of heterogenous code on any shared hosting, some of it less secure than other.

Or, and in my opinion, most likely, they just had a rat in the datacenter. The weakest link is usually the one made of meat.

There are now law and rules when it comes to track down pedofiles . They do not deserve to be protected by the law . FBI done an amazing job , and saved many kids from EVIL sick molesters.

Philip Angus Nunes

August 04, 2013

Permalink

Roger, Jacob, Karen, Tom, Andrew, or whoever reads this comment section: We can't trust exit nodes and/or hidden services. These guys are injecting javascript and using 0-day exploits against the browser bundle.

Right now, the noscript in the browser bundle is setup to allow javascript. In the past, it blocked it. It's a pity we have to block it again, but it seems there is no way around this.

Have to be honest, having followed Tor off and on for about ten years, I'm quite surprised to hear that the Torbrowser was shipping with javascript enabled. What drove that decision?

Not very anonymous when you are rooted by FBI 0 day. Tor developers need to wake up and see that we want a fucking anonymity network and anonymity and security software, not something that slows down our internet while we watch cat videos on youtube. Unfortunately they have been more and more going in the direction of user friendlyness even at the significant expense of user security and anonymity, and I just wonder how friendly it will be in prison for all of the people who just were deanonymized because of user friendly software.

With all due respect, up until recently, Javascript WITHOUT Flash and/or Java was through to be safe.

Actually, I would have to say it still IS safe unless there is a big freaking hole in Javascript somewhere.

Right. There are a lot of parts of Firefox that are potential attack surfaces. Javascript is one big one, but there are other big ones. We shouldn't focus solely on Javascript or we'll end up surprised by the next vulnerability.

Thought to be safe? By whom? JavaScript is indeed safer than Flash, and probably Java, but that's not saying much! JavaScript has historically been a source of *innumerable* security bugs in *every* browser I know of that has implemented it. Not to mention all of the subtle ways that intentional JavaScript features (as opposed to bugs) may be used to compromise your anonymity, because they simply weren't designed with anonymity in mind.

It is, in my view, foolish in the extreme not to assume that "the bad guys", whoever they are, have frequent access to 0-day vulnerabilities in the major JS implementations. This seems likely to continue for the forseeable future, especially given how much browser makers have been focusing lately on improving JS performance (which almost inevitably results in the introduction of new vulnerabilities.)

^ This.

JavaScript is considered THE number one reason of virus infections.
Virtually EVERY exploit kit worldwide uses JS to see if the target is vulnerable in the first place, even if the actual exploit doesn't use a JS vulnerability.

Activating it is batshit insane crazy with suicidal tendencies.

If you browse the clearnet without NoScript, you are a risk to yourself and the rest of the internet,
if you do illegal stuff with JS enabled, you are a risk to yourself and the rest of the internet and are asking to be put into prison.

"If you browse the clearnet without NoScript, you are a risk to yourself and the rest of the internet,"

Isn't it about time that at least /some/ of the most basic protections that NoScript offers, such as against XSS, be incorporated into Firefox itself? (and, for that matter, other browsers as well)