Hidden Services, Current Events, and Freedom Hosting

Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.

EDIT: See our next blog post for more details about the attack.


August 05, 2013


If the NSA and other government's are tracking all internet data, then what makes you think that anything over tor is anonymous to begin with?

If all of the data is tracked, then the data masters need only connect the dots. This is a well known weakness of tor. If one entity controls too many tor nodes then they can easily connect the entry to the exit. This is the same as NSA tracking all of the data.

Maybe, maybe not. I at least don't know how elaborately they track the internet traffic. Keep in mind, that a Tor Node doesn't necessarily only handles one connection at a time. Tor Nodes are providing connections for multiple users at the same time. So the traffic will get mixed up. Imagine a Shell Game. You have these, let's say, 5 Shells. You put 5 different colored beans underneath them. Then you show the NSA under which shell which bean is. After that you shove them all under a bigger shell and jumble them around without the NSA having a chance to peak into the big shell. Then you take the smaller shells back out and the NSA has to guess what bean is under which shell.
I may be wrong, but this is how it works.
Though I don't know if the NSA has any means to recognise the encrypted packets before and after they pass the node by their size for example. The packets should look different, because a layer of the onion is peeled off by the Node.


August 05, 2013


Why the hell would they inject this crap on Tormail?
The firefox version with the tor bundle I had installed was 10.0.7 ESR. I had also disabled javascript from firefox settings (Options > Content). Would I have been compromised at all?


August 05, 2013


So in what time frame was this vulnerability exploited? The past week? The past month?


August 05, 2013



I have some off-topic but relevant to higher security, critical for me.

Does someone of you using "3proxy" (minimal all-in-one-solution 3proxy.exe from http://3proxy.ru/). Do you trust this proxy SW?
Minimaly standalone service socks.exe is permanently detected like malware TrojanProxy:Win32/Small.DY.

From time to time i stop trust some node and block it. Exist some web for exchanging information between TOR users? Web when people speeks obout recomanded and trusted nodes?

Thank You, have nice a day.

Cookies for validation...?

Yeah, that was real smart.

just disable javascript in Tor Browser by default you f**ing idiots

If you would actually READ THE PREVIOUS POSTS, there is a goddamned good reason why they do NOT do that by default.


We need a solution that blocks certain 'weird' things and perhaps a solution that blocks cross-site scripting by default to prevent an issue like this happening in the future.

The RequestPolicy extension is a good start (and I feel it should be included by default with TBB from now on) however even that extension doesn't block some of the 'more dangerous' JavaScript functions that .onion websites especially shouldn't use.

I am completely new to this, not a tech guru like most of you are. I simply happened to download the TOR Bundle a couple days ago. I'm on a Mac, was using Apple's Safari browser when downloading the TOR Bundle. I wanted to download the TOR Mail, but when I clicked on the links, nothing would come up, so I was frustrated that I couldn't seem to find the TOR Mail site. It seems that perhaps I came into this after the TOR Mail servers/hosts/whatever you call it were shut down...? So am I ok w/ respect to having my IP logged by someone...? All I was trying to do was find a secure email system and web-browing system.

Me too.

JavaScript isn't the main problem here. They may also have 0-day-exploids for other components:
- CSS Parser
- XML Parser
- media handling (image parser, audio decoding, ...)
- DOM handling

Sure, JavaScript is more complex which leads to more potential bugs. But the main problem here is that browser isn't an isolated component and can always contain security bugs. How do think about:

Sandbox: Contains Firefox and Profile files, is wiped after exit
User I/O (including key presses and frame buffer): Handled by a special sandbox hole.
Network: Firefox can only interact with a TOR proxy that doesn't run in the VM. So it is not possible to leak the IP address when exploiting firefox.

From what I have read no one is sure how the FH admin was identified. Until this is explained I don't see why anyone would want to run a Tor hidden service.

Right, which means it is possible he was caught by good ol social engineering. Good riddance to bad trash IMO.

It could have been a webserver exploit. FH offered PHP and MySQL.

When javascript is enabled by default in the options settings, it is still blocked by noscript; I did the test with www.isjavascriptenabled.com/

so not allowing scripts globally seems to block as well javascript but maybe it needs more to really block???

Tor has never been anonymous nor claims to be
I once had a convasation with nick before Tor in his mixminion days
suddenly money was donated to tor
nIck joined the tor dev
With over 4000 plus nodes its a big con but a nice one.

Dr Fred Pipper

I don't even understand why there is Javascript in Tor Browser... The principle of Tor is to be anonymous, if you turn on JS, you might as well use normal Firefox...

"if you turn on JS, you might as well use normal Firefox..."


You are not making sense.

shit, if they have your IP are you going to get a visit, by just viewing a site once or twice?

I wouldnt worry about that. I highly doubt valuable resources would be used to target very insignificant individuals; thats not the kinda stuff which makes the news.

Don't worry about this one so much, but rather focus on the next security holes. There are lots of them. What about Flash? And what about fingerprinting? And what about preventing anything to circumvent the browser's settings. That's the biggest leak possible when the it is somehow allowed to communicate with a fisher directly. What about all those ancient, forgotten topics, like cookies? That should be looked upon NOW!

The Hacker News Provide more details about the hack, FBI's tools and more http://thehackernews.com/2013/08/Firefox-Exploit-Tor-Network-child-porn…

Still doesn't explain how the exploit got onto the servers to begin with, and how it was positioned and setup to be downloaded to the client browser.

As far as I am concerned, that is the bigger issue.

If hidden servers aren't really hidden and can be easily infected with malware, then the Tor hidden services are pointless.

I use TOR sometimes. I always try to remember to turn off javascript, but sometimes I just forget. The developers made a huge mistake to turn on javascript by default.

i wonder when they startet this attack... just some days ago or longer ?

So far everything points to August 2nd 2013, who knows though, because that wasn't tracked too meticulously. We just know that's when reports came out about malicious js attacks on fh

It started on 29 or 30 July

What happens to users who like me, have visited Tormail using Orweb on Android phone??

Are we infected?? Or it only affects Windows users??

Im in the same sit , but i had javascript disabled on my android and i saw that message i think if it was only for tbb on windows i wouldn affect android or any other unix based system , please correct me if im wrong

It's strange no one really knows what's going on.
And what's the point in collecting IP's? Do they want to raid everyone that has clicked on a website that was hosted on "Freedom Hosting"? There must be something more behind this stuff.

it is called ip address mining, they will later subpoena the possessors of those ips, lawful intercercept etc

I do not think so. First of all, as we keep on pointing out, those of us 'in the know' on security issues, an IP address /= to a specific person.

Now, supposedly this ALSO got MAC addresses but those can be faked in the real world as well, so they are of little to no usage as well.

From what I have been reading, this only targeted people who didn't properly keep their TBB up-to-date, which in the real world is something that any sane person would do.
You see an update on Tor Blog or TBB itself tells you that there is an update, you immediately go and damned well install that update! No if's, and's, or but's about it.

Here is a list of the sites that were effected - http://uscyberlabs.com/blog/2013/08/05/freedom-hosting-tor-website-list…

Do you know when the JS code was inserted into the sites in question?

Are Mac users exposed to this attack or is it just Windows based?

was this expoit possible in 17.05 ? or existed this bug only in 17.06 ?

Only 17.0.7 is fine.

I tried TOR once or twice in my life but I never needed it so I use my normal browser without proxy's and so on. After all, I have nothing to hide so no need for tor.
I think it's cool from the FBI that they've hunted down a big child porn online. Even if it costs the credibility of TOR. TOR didn't blocked the content, well the FBI gets it.
So for all those coders out there. Block content that is related to child porn and everything illegal. Else next exploit will hit the network I think...

You, sir, are one of the government's brainwashed blindly obedient subjects, and you have never been more wrong in your life.
And they also took down legitimate sites, including TorMail, which I was unfortunate enough to check. Luckily, I believe I was using 2.3.25-10, which has the fixed version of Firefox. The attack was discovered a few weeks before it was used against the very concept of privacy itself.
And what's next? Trying to report the next leak of government insanity? They might hack those in the greatest need of privacy.

I am the same replier as just above.
If there was a way to remotely shutdown or block sites, then the government could just hack the central registry and then block or identify ANY hidden servcvice they wanted. That would be bad news for whistleblowers.
And what if they threatened to arrest the Tor people unless they included a backdoor?
The mere existence of a kill-switch is a open backdoor in Tor's security, privacy, and long-term usability.

You are f*cking moron.

Buy a BRAIN.

May your chains rest lightly upon you.

Same questions over and over and over and over and over and over AGAIN. READ THE FUCKING THREAD. It is exactly people like you who where affected because you cannot read not even the documentation about TOR on https://torproject.org

Are iframes automatically forbidden if you have forbidden scripts globally in noscript, or do you have to disable them separately to be safe from this exploit?

Ok, there seems to be some questions many people keep asking. Hopefully we can answer some of them? I'm seeking the guidance of someone who knows better.

-I had JavaScript enabled in my browser settings with the bundle - but noscript was ENABLED. <~ some smarty pants seem to think this means the FH JS exploit still got through? Please elaborate, because I highly doubt it!

-By default scripts are allowed globally(dangerous), <~ it even says this on the option, if your browser was set up like this you may be compromised.. Correct?

-With Noscript enabled JavaScript is disabled by default <~ is this true? Java is disabled on noscript by default, how about everything else script-wise?

FH is gone, all his millions on his offshore accounts - I wonder more about this, I bet they can't seize all of it!

Don't assume anything thus far. Not one thing. For all we know, they just got a 'face front' for Freedom Hosting and Freedom Hosting will be back.

I do not and did not look at child pornography, but I did use TORMail for some things online (have some opinions on some subjects that would be dangerous to me if regular people knew about them) and I am a little angry that Freedom Hosting went down.

I'm honestly hoping that the Irishman they supposedly got had no connection to Freedom Hosting and they are just spouting out of a certain part of their body.