Hidden Services, Current Events, and Freedom Hosting
Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.
EDIT: See our next blog post for more details about the attack.
What was the purpose of
What was the purpose of including NoScript in the bundle and then globally allowing scripts, flash, silverlight, font-face etc?
Why on earth would you enable javascript by default?
These are not the settings TBB used to have.
I'm guessing because they
I'm guessing because they figure most Tor users just want to visit mainstream clearnet sites anonymously, and most mainstream sites use the simpler functions in javascript. So it makes sense to allow javascript, but also use NoScript to also block out any potentially dangerous parts (like iframe).
The default settings in
The default settings in NoScript on the tor BB block nothing. "Allow Scripts Globally" and all browser plugins are allowed. It literally does nothing to keep you safe from a malicious attack when used in the default settings, which Vidalia seems to tout so much.
Not all Javascript is
Not all Javascript is allowed, the Tor Browser have some patches against the real version of Firefox that blocks or modifies some known dangerous Javascript. Also, most (all?) external plugins should be blocked by a patch too.
Now, after seeing that real exploits against Firefox over and over again uses Javascript, I believe blocking Javascript by default is something the Tor developers should consider.
I agree. Please help
I agree. Please help with
https://trac.torproject.org/projects/tor/ticket/9387
I'm not sure which is more
I'm not sure which is more baffling and disturbing:
a) The fact that neither you (arma*) nor any of your colleagues have addressed the glaring, utter CONTRADICTION between what you have been posting here regarding JavaScript and what is stated at
https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled,
or,
b) The fact that no one besides myself seems to be bothered by a) (or even /noticed/ it)
https://trac.torproject.org/projects/tor/ticket/9387
I skimmed and did a Ctrl-f for "faq". Nothing.
Incredible. Absolutely incredible.
*BTW, I apologize for referring to you in the feminine in previous posts. I had you confused with a female colleague.
Freedom is dirty
Freedom is dirty business.
It is not sanitary, never has been, never will be, and any misguided attempt to make it so will destroy it. History has proven this repeatedly.
Also, collective punishment is not justice, because it punishes the innocent along with the guilty.
Whatever happened to the bedrock American principle that it was better to let 10 guilty go free, than for one innocent to be wrongly punished?
Freedom demands that we tolerate a certain degree of unsavory messiness in life, as the attempt to eliminate it eliminates freedom itself.