Hidden Services, Current Events, and Freedom Hosting
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.
EDIT: See our next blog post for more details about the attack.
It's not unreasonable to assume they can develop capabilities for penetration of browsers with JS disabled, or already have such ability.
A more robust approach would be to get a goddamn Raspberry Pi and this https://github.com/grugq/PORTALofPi (assuming you have to seriously worry about FBI), and / or a really thorough VM setup (though it's not like there aren't any VM escape exploits out there, amrite? =) )
Even loading images can be dangerous, depending on the image-loading code. A PHP script that returns an image mimetype could be used to exploit any weakness in that code. Should we look at the entire internet in plaintext, given the possibility that there's a vulnerability in that code? How many other attack vectors have opened up recently?
I distinctly recall that there was a time (early 2000s) when there was a windoze bug that allowed to deliver and execute code via nothing but an image
This is hardly the only image rendering bug that can inject code...