News Orgs & Activists: Onionize Your Sites Against Censorship
In many countries, censorship of websites with critical information or news is commonplace. If opinions, analysis, or facts contrary to the country’s narrative are published, repressive governments can quickly silence those voices by blocking access to those websites.
For instance, in September 2017, one day after Human Rights Watch released a report on systematic torture in Egypt’s jails, Egypt blocked access to the HRW website, curtailing its people’s access to the report and leaving them uninformed about their own countries treatment of its citizens. Egypt has also blocked numerous news sites, including Al Jazeera, so when AJ reported on Egypt’s block of HRW after the report on torture was released, the most critical audience, the Egyptian people, were less likely to be reached.
Publishing a website using onion services over the Tor network is a way to circumvent many state-led methods of censorship. These website addresses end in the TLD .onion. Similar to how the https:// protocol of a website provides more security than the http:// protocol, an onion address also appears to be the same site but gives a visitor more privacy and security through end-to-end encryption and improved authentication.
Visiting an onion address is easy. All that’s needed is Tor Browser (Tor Browser is built from Firefox and is similar to use); you visit the onion address in Tor Browser like you visit any web address.
Here’s the onion address of torproject.org: http://expyuzz4wqqyqhjn.onion/
Download Tor Browser and check them out.
If your organization’s site is already blocked anywhere in the world, or if you are calling out injustices, sharing state-suppressed resources, or just want to provide your site and users with better privacy and security, creating an onion version of your website should be your next step.
Alec Muffett, a security researcher and longtime member of the Tor Community, has created the Enterprise Onion Toolkit (EOTK) to make it easier for you to give a public site a corresponding onion address. You can ping Alec on Twitter or join the EOTK mailing list if you have any questions about how to use it.
We want a free and open internet for all, so let’s onionize and build it.
Onion Services this post is about are encrypted all the way to server even though the address bar reads http://something.onion. That doesn't prevent you from also adding TLS certificate, but related registration procedures -- especially if they require payments, can deanonymize you. This is dangerous if your intention is e.g. hosting controversial information about your government .
Old onion services use RSA1024 which is broken. So MiTM is possible.
Next Gen onion services rely on highly-criticized cryptoprimitives like NSA-backed SHA3 (Keccak). If it is broken - everything is broken.
Who have made this decision and why?
Tor Browser 7.5 is released | January 23, 2018
officially the sponsors & the giant of the net decide & the teams obey.
in fact it is a technical & a social problem :
- with a weak Tor, you do not drive the same clients ... the time has changed since 2013 & another client need another Tor & onion-network so they did it ...
- cryptography is a very difficult science and the *quantum issue is not solved ; the board of the tor-project take the decisions ... with the agreement of a lot of different actors whom govt/police one ...
sha3 is not broken & a quantum computer does not yet exist.
nsa has not built sha3 afaik : misinformation ?
Next-generation onion crypto replaces SHA1/DH/RSA1024 with SHA3/ed25519/curve25519. Many open-source projects prefer elliptic curves based on 25519 precisely because they were not influenced by NSA. As for SHA3, do you mean the capacity change controversy during the NIST hash function competition? Because NIST decided not to go through with it. "In response to the controversy, in November 2013 John Kelsey of NIST proposed to go back to the original c = 2d proposal for all SHA-2 drop-in replacement instances. These changes were confirmed in the April 2014 draft. This proposal was implemented in the final release standard in August 2015."
Or is there something else?
> Who have made this decision and why?
It's called proposal 224 (prop224).