Nine Questions about Hidden Services

This is an interview with a Tor developer who works on hidden services. Please note that Tor Browser and hidden services are two different things. Tor Browser (downloadable at TorProject.org) allows you to browse, or surf, the web, anonymously. A hidden service is a site you visit or a service you use that uses Tor technology to stay secure and, if the owner wishes, anonymous. The secure messaging app ricochet is an example of a hidden service. Tor developers use the terms "hidden services" and "onion services" interchangeably.  1. What are your priorities for onion services development?  Personally I think it’s very important to work on the security of hidden services; that’s a big priority. The plan for the next generation of onion services includes enhanced security as well as improved performance. We’ve broken the development down into smaller modules and we’re already starting to build the foundation. The whole thing is a pretty insane engineering job.2. What don't people know about onion Services? Until earlier this year, hidden services were a labor of love that Tor developers did in their spare time. Now we have a very small group of developers, but in 2016 we want to move the engineering capacity a bit farther out. There is a lot of enthusiasm within Tor for hidden services but we need funding and more high level developers to build the next generation. 3. What are some of Tor's plans for mitigating attacks? The CMU attack was fundamentally a "guard node" attack; guard nodes are the first hop of a Tor circuit and hence the only part of the network that can see the real IP address of a hidden service. Last July we fixed the attack vector that CMU was using (it was called the RELAY_EARLY confirmation attack) and since then we've been divising improved designs for guard node security. For example, in the past, each onion service would have three guard nodes assigned to it. Since last September, each onion service only uses one guard node—-it exposes itself to fewer relays. This change alone makes an attack against an onion service much less likely. Several of our developers are thinking about how to do better guard node selection. One of us is writing code on this right now. We are modeling how onion services pick guard nodes currently, and we're simulating other ways to do it to see which one exposes itself to fewer relays—the fewer relays you are exposed to, the safer you are. We’ve also been working on other security things as well. For instance, a series of papers and talks have abused the directory system of hidden services to try to estimate the activity of particular hidden services, or to launch denial-of-service attacks against hidden services.We’re going to fix this by making it much harder for the attacker's nodes to become the responsible relay of a hidden service (say, catfacts) and be able to track uptime and usage information. We will use a "distributed random number generator"--many computers teaming up to generate a single, fresh unpredictable random number.  Another important thing we're doing is to make it impossible for a directory service to harvest addresses in the new design. If you don't know a hidden service address, then under the new system, you won't find it out just by hosting its HSDir entry. There are also interesting performance things: We want to make .onion services scalable in large infrastructures like Facebook--we want high availability and better load balancing; we want to make it serious.[Load balancing distributes the traffic load of a website to multiple servers so that no one server gets overloaded with all the users. Overloaded servers stop responding and create other problems. An attack that purposely overloads a website to cause it to stop responding is called a Denial of Service (DoS) attack.  - Kate] There are also onion services that don’t care to stay hidden, like Blockchain or Facebook; we can make those much faster, which is quite exciting. Meanwhile Nick is working on a new encryption design--magic circuit crypto that will make it harder to do active confirmation attacks. [Nick Mathewson is the co-founder of the Tor Project and the chief architect of our software.] Active confirmation attacks are much more powerful than passive attacks, and we can do a better job at defending against them. A particular type of confirmation attack that Nick's new crypto is going to solve is a "tagging attack"—Roger wrote a blog post about them years ago called, "One Cell Is Enough"—it was about how they work and how they are powerful. 4. Do you run an onion service yourself?   Yes, I do run onion services; I run an onion services on every box I have.  I connect to the PC in my house from anywhere in the world through SSH—I connect to my onion service instead of my house IP. People can see my laptop accessing Tor but don’t know who I am or where I go.  Also, onion services have a property called NAT-punching; (NAT=Network Address Translation). NAT blocks incoming connections;it builds walls around you. Onion services have NAT punching and can penetrate a firewall. In my university campus, the firewall does not allow incoming connections to my SSH server, but with an onion service the firewall is irrelevant. 5. What is your favorite onion service that a nontechnical person might use?  I use ricochet for my peer to peer chatting--It has a very nice UI and works well. 6. Do you think it’s safe to run an onion service?  It depends on your adversary. I think onion services provide adequate security against most real life adversaries.However, if a serious and highly motivated adversary were after me, I would not rely solely on the security of onion services. If your adversary can wiretap the whole Western Internet, or has a million dollar budget, and you only depend on hidden services for your anonymity then you should probably up your game. You can add more layers of anonymity by buying the servers you host your hidden service on anonymously (e.g. with bitcoin) so that even if they deanonymize you, they can't get your identity from the server. Also studying and actually understanding the Tor protocol and its threat model is essential practice if you are defending against motivated adversaries.7. What onion services don’t exist yet that you would like to see?  Onion services right now are super-volatile; they may appear for three months and then they disappear. For example, there was a Twitter clone, Tor statusnet; it was quite fun--small but cozy. The guy or girl who was running it couldn’t do it any longer. So, goodbye! It would be very nice to have a Twitter clone in onion services. Everyone would be anonymous. Short messages by anonymous people would be an interesting thing. I would like to see apps for mobile phones using onion services more—SnapChat over Tor, Tinder over Tor—using Orbot or whatever.  A good search engine for onion services. This volatility comes down to not having a search engine—you could have a great service, but only 500 sketchoids on the Internet might know about it. Right now, hidden services are misty and hard to see, with the fog of war all around. A sophisticated search engine could highlight the nice things and the nice communities; those would get far more traffic and users and would stay up longer. The second question is how you make things. For many people, it’s not easy to set up an onion service. You have to open Tor, hack some configuration files, and there's more.We need a system where you double click, and bam, you have an onion service serving your blog. Griffin Boyce is developing a tool for this named Stormy. If we have a good search engine and a way for people to start up onion services easily, we will have a much nicer and more normal Internet in the onion space.  8. What is the biggest misconception about onion services?  People don't realize how many use cases there are for onion services or the inventive ways that people are using them already. Only a few onion services ever become well known and usually for the wrong reasons. I think it ties back to the previous discussion--—the onion services we all enjoy have no way of getting to us. Right now, they are marooned on their island of hiddenness.  9. What is the biggest misconception about onion services development? It’s a big and complex project—it’s building a network inside a network; building a thing inside a thing. But we are a tiny team. We need the resources and person power to do it.  

(Interview conducted by Kate Krauss)

#will you please to allow me a short answer ? it is tor blog.
1)we are agree on one thing ; it is a troll(very funny).
2)cap+jews&nazi are irrelevant.
3)speech freely as tor user does not mean bring trouble with personal attack.
#Don't try to shut up his mouth nobody will try to shut up yours (8 years old).

victorhck

November 21, 2015

Permalink

I do not truly think that Tor can protect your identity. The companies out there have special browser fingerprinting programs and codes that can still determine your identity. Tor is like a kiddie toy for anonymity. If you really want true privacy, I think you have to really scramble your hardware infrastructure. I think software is just one layer, but hardware is another layer you have to tackle regarding privacy. Some hardware are bugged initially upon purchase so...let your imagination run wild.

Tor do protect your identity and hardware is not buggy ; it is a product and like others products , it is made for the consumers.
One of these one is a group (gov, private enterprise, etc) and the reason why their interest are welcome is that they give more money as consumers ; it is lobbying so the product is more made for their personal interest than for the others consumers.

A new computer is coming (nov 2015) without "hardware bug" (blob,firmware, hidden function ,etc) at 1600 $ _ it is expensive (for the same price i have a big gaming beast).

I do not understand this strange conception of " privacy " ; a true privacy !
(your privacy is real or you have not one , you cannot be at the middle or live with a false, an illusion of a "privacy".,.)

Tor is not a kiddie toy for anonymity ; more there will be users , more you will realize it.

As nice as a fully open source computer is, it does have downsides. As much as I hate to admit it, closed source CPU vendors like Intel provide many security-related instructions which massively improve security. And I don't just mean formal verification, but security-oriented features/instructions. For example, I highly doubt this open source CPU will have any of these following security features (which do provide real and tangible protection against even advanced adversaries):

- MPX: With the help of the compiler, it helps protect from many forms of buffer overflows by checking bounds on various operations.
- SGX: Allows userspace code to allocate memory which cannot even be accessed by the kernel, hiding it in encrypted "enclaves" controlled by the Management Engine.
- AES-NI: Provides side-channel resistant AES crypto in hardware. It even prevents scary and highly effective side-channel attacks like FLUSH+RELOAD and FLUSH+FLUSH from discovering the encryption key.
- RDSEED/RDRAND: High quality non-deterministic random number generator (yes it may be backdoored, but it does not cause any harm if it is, since it is not the only source of entropy).
- SMEP: Prevents the kernel from executing userland code, which is a very common method of system exploitation.
- SMAP: Like SMEP, but prevents any access to userland code when set period. It can be used to create a fully sealed kernel where even one part of the kernel cannot access other parts, like a microkernel.
- NX: Allows a memory page to be set as no-execute, preventing attackers from writing to an NX page to place malicious executable code in it (ROP and other data-only attacks are an exception, but NX is still extremely useful).
- WP: Allows setting pages read-only so even the superuser context (ring 0) cannot write to it.
- TXT: Allows a measured and trusted boot process. If it is backdoored or otherwise vulnerable, then the worst that happens is it is unable to protect you from a tampered boot. Note that TXT can even protect from some forms of hardware tampering.
- TPM: Used in Intel TXT, the TPM is basically a cheap HSM (hardware security module). It comes with its own non-deterministic RNG, and can securely store keys in a tamper-proof environment. It's not great, but better than nothing.
- VT-d (IOMMU): Directed I/O virtualization which, while initially intended for PCI passthroughs in virtual machines, it is also used to protect from malicious DMA attacks caused by compromised hardware (e.g. compromised USB hubs, Firewire, Cardbus, etc). Vanilla Linux calls this DMAR and it can be extended in functionality with VFIO, and it's also used by Xen to protect device drivers.

There are even some which are not intended to be used for security, but can be used to enhance security anyway with the right software, such as grsecurity:

- PCID: Used to enhance the security and performance of PaX UDEREF on x86_64.
- Memory segmentation (i386 only): Used to enhance the security and performance of PaX UDEREF and KERNEXEC on i386.
- RDTSC: High-precision timer, useful both to detect side-channel attacks, and for medium-quality userspace random number generators (e.g. HAVEGE, Dakarand, Jitterentropy, etc). While it is also useful to *perform* side-channel attacks, it can be disabled in ring 3 with the CR4 bit (in Linux, this is done with the PR_SET_TSC flag in the prctl() syscall, or the disable_tsc() instruction from within the kernel).

There are several other security-related ISA extensions which Intel, and AMD to some extent (and to a lesser, ARM) which I have not mentioned because I know little about them, like Protection Keys. Anyway, you get my point.

BTW, there is already an open source CPU out there. The UltraSPARC T1 and T2 (also called OpenSPARC). It is fully open, verilog and all. It is (obviously) of the SPARC architecture, and provides 64 hardware threads and up to 8 cores. However, even it does not have as many security features as modern Intel CPUs.

TL;DR
I'm not trying to say that an open source CPU is a bad idea - it all depends on your threat model. But when it comes to software exploitation, even exploitation by an adversary such as the NSA, it is highly likely that a modern x86 CPU will be more resistant than a custom open source one, at least today.

Your post is very interesting but i disagree with your point of view.
The point is to not be under control or under survey , that you can choose and decide by yourself that you want.
A state sponsored founder or an us company or worse ; something from eu , bring nothing at the customer:user (i am not speaking about a commercial site or gaming or professional of the web).
Intel do not bring nothing, they _ like all the enterprises in the world _ manage their own industry(ies),services,licenses,etc. you are using their products, they look at their benefits without bring you any service for you especially _ they normalize their communication in a world plan on a large scale _ for their contracts with another states, government, enterprises, private services.
An enterprise demands, requires a function, a service ; Intel made it ; it is an us enterprise for the us enterprises on the us territory.
In fact, that you wrote could be right and accepted if we spoke about enterprise or fbi or for a commercial ambition ... but we spoke about 'hardware without bug' as a freedom for an user.
As users we do not need so many features-often unknown and very dangerous for the privacy- we do not need to be more protected or more resistant at an attack _ we do not want to be involved, included in their plan BECAUSE it is our own right,

You really need to work on threat modeling... Yes, it is a kiddie toy if you suspect you are being targeted with advanced physical attacks that will do keystroke logging and such. But if your goal is to avoid being a suspect in the first place, *that's* what Tor is designed for, and what it is so good at. Saying Tor is a kiddie toy is like saying a bulletproof vest is useless if someone gives you a fake bulletproof vest with a bomb in it.

As for your statement about "special browser fingerprinting and codes", sure, some of them have exploits. Browsers are huge beasts with a massive attack surface. But that is not a break in Tor, that is an exploit. You can reduce the chances of that (and browser fingerprinting) by disabling javascript via the security slider. However, if you claim they mass-deploy this "fingerprinting code", you can be easily proven wrong. People would notice if such code was mass-deployed. I already answered you when you made a comment on another unrelated blog post anyway, explaining how such fingerprinting would and wouldn't work.

> Yes, it is a kiddie toy if you suspect you are being targeted with advanced physical attacks that will do keystroke logging and such.

Tor is very far from being a "kiddie toy" when one is being individually targeted by attackers with FVEY capabilities. Snowden-leaked FVEY documents contain much evidence to support this view.

Why? Here is one reason: even advanced attackers often make coding errors which have in some cases revealed their attack to the prospective victims. In particular, NSA's own network and their cyberattack software tends to be a hastily constructed mishmash of jury-rigged tools. And the bigger the adversary entity, the more likely they are to step on their own toes. Alert users can sometimes detect and exploit this, for example by allowing the attacker to spy on what we want them to hear (turning a common GCHQ tactic back upon our enemies), or by introducing honey pots where we can study their tradecraft.

Each attack gives us a potential opportunity to learn about the attacker and to expose their activity, or even to turn their own weapons against them. Remember, one important difference between being attacked with malware and being attacked by a missile is that in the former case, there is the potential to capture a working copy of the weapon, which can then be cheaply copied, modified, etc., and fired back at the would-be attacker. Because even a sophisticated malware can be exposed by a very small mistake (or misunderstanding of the intended victim's network), in some cases even an unsophisticated can capture highly sophisticated malware.

As initiatives like Citizen Labs proliferate, the little guy will enjoy more and more opportunity to exploit even sophisticated attacks to expose the would-be attacker.

victorhck

November 21, 2015

Permalink

Awesome article! Hopefully the money and people power will be found to develop the network even further. As the outside threats grow bigger everyday, our artillery has to expand as well. Looking forward to 2016!

victorhck

November 21, 2015

Permalink

I saw an 2013 metric that shows Italy as being the highest - 200 per every 100 thousand internet users - utilizing tor. Hadn't realized Italy was one of the higher.

victorhck

November 22, 2015

Permalink

Search engine for hidden (web)services is not a good idea. By design every search engine IS a spy tool. It steals documents and collects them in database.
A web publisher should send info to the seach site, not the other way. Just as in the old classic ads days.
Thanx for the non-censored blog without that 'register by your mail' nonsence but why is it not a hidden service? I feel a small inconvenience to leave the onion network. And there are just two lines in tor config file...

victorhck

November 22, 2015

Permalink

If you had not heard about it yet, but Blackphone 2 has been released! Bitmessage is also a good email client platform!

victorhck

November 22, 2015

Permalink

> in the past, each onion service would have three guard nodes assigned to it. Since last September, each onion service only uses one guard node—-it exposes itself to fewer relays.

Is there a configuration option somewhere that controls this? I'm worried more availability than having my onion service compromised by a guard node, so I would like the option to use more guard nodes.

victorhck

November 23, 2015

Permalink

Great. I use HS same as you, to reach my machines from anywhere without anyone noticing. it truly makes administrative restrictions irrelevant and restores the end-to-end character of the internet.

They are also great to communicate invisibly, work kind of like a phone number except that since the network itself is the operator, trust is distributed and the identity is self-authenticating, it puts control where it belongs.

I have commented about this in the past: I still don't think HS are a great choice for web-like content because of uptime tracking and active attacks and the fact that content is then tied to a certain machine, its availability dependent on that machine's working order, connection and performance. even if load-balancing worked, it still wouldn't be a perfect solution.

For static content, also things like git servers, wikis etc, I think the best solution is a decentralized content-addressed data store like what gnunet, freenet, i2p-lafs (?) projects are trying to offer. So this should not be the main trust of HS development. I think servers are a concept that just doesn't fit purposes like publishing material or asynchronous messaging. a standardized distributed datastore should become the norm instead.

Ideally, we should only have to set up or use actual servers where they are logically indispensable.

One thing is on top of my wishlist (not only for HS): add a layer of post-quantum crypto to tor to keep ahead of developments! keep in mind that the more powerful datafascist outfits are known to store certain types of internet traffic they can't decrypt for future attacks.

Agreed on distributed data storage, but only if onion routed in order to conceal the location of the data pieces and the users wanting to read and write them, while being encoded to prevent anyone other than those users from knowing what they are, or even connecting them to other pieces of the complete data assembly. There should be padding in size and delay in transmission, and it should be impossible to know if a data transfer is for reading, writing, archiving for redundancy, or chaff.

victorhck

November 24, 2015

Permalink

> I do not truly think that Tor can protect your identity. The companies out there have special browser fingerprinting programs and codes that can still determine your identity. Tor is like a kiddie toy for anonymity.

The documents leaked by Snowden are beginning to become a bit dated, but they clearly suggest you are quite wrong about that.

(The hysterical anti-encryption ranting from people like FBI Director Comey might suggest the same, except that these are so counter-factual they might better be read as enticements to people to use Tor so Comey can spy on the privacy advocates he blames for terrorism.)

> I think software is just one layer, but hardware is another layer you have to tackle regarding privacy.

That is very true, and Tor by itself cannot help here. But more and more consumers are becoming privacy-aware, and demanding more secure hardware as well as software tools like Tor Browser and Messenger.

victorhck

November 24, 2015

Permalink

> If there was a secure and easy to set up onion blogging platform, even without all the bells and whistles, that would be a great step forwards for freedom of speech.

Plus one.

Comment spamming here should provide another incentive for the Tor Project to increase the priority of providing anonymized blogging software which resists malicious comment spamming. It is certainly suspicious that these problems have intensified at the Tor blog immediately after arma disclosed FBI misconduct.

i disagree about spamming ; most of the comments are censured yet by admin and it is not an anonymous blogging software which could decide -twitter is good for kind news/short sentences not for free speech.

victorhck

November 26, 2015

In reply to by Anonymous (not verified)

Permalink

Yes. If you use Tor you can be arrested for over 9000 years and put in solitary confinement.

In seriousness though, it depends on where you live. As far as I know, Tor is not illegal in any big countries, and is not illegal in any countries where all anonymity services are not already illegal.

Tor is a service. It's a service provided by multiple volunteers in many countries. Just because it is not centralized does not mean it is not a service.

victorhck

November 27, 2015

In reply to by Anonymous (not verified)

Permalink

"In 2001, the Bush administration authorized -- almost certainly illegally -- the NSA to conduct bulk electronic surveillance on Americans."
So is usa government illegal?

victorhck

November 26, 2015

Permalink

Great interview with Nick! It would have been nice if he talked about the new human readable DNS feature for hidden services. I do like how he talks about the need for a search engine for hidden services in order for them to become main stream.

Ha -- are you trying to deanonymize the hidden service developer that wrote this? :) We have several of them (and I'm happy to let them have their anonymity here if they want it).

victorhck

November 27, 2015

Permalink

This may be off topic abit. It is relevant to Tor however. I am pondering the thought of establishing a bridge to help. The one thing that has me hesitant is the leak regarding how the NSA taps into tor's email server that's used to request to run a bridge. Is this completely true?

victorhck

November 27, 2015

Permalink

My advice & opinion:

Let's have fun and keep learning- but- Never never never ever assume any electronic communication or anything relative to it is actually private or secure. And that's a correct start! LOL

victorhck

November 27, 2015

Permalink

I want to develop and market things like a portable TEMPEST / RF shield for like 30 euro and a very cool snap-on phone encryption module for any landline or mobile using like 256-bit Twofish and 512-bit ECC for maybe 50 euro and available to any and all at your local market!

victorhck

November 30, 2015

Permalink

Someone asked:

> Is tor illegal

Someone replied (rhetorically):

>> is nsa terrorism nest?

Spying on someone is inherently a hostile act. Firing missiles into houses and vehicles is a hostile and deadly act. Knowingly targeting children is a hostile, deadly, and barbaric act. Not just an act, but a crime. A war crime. An act calculated to induce terror in a civilian population.

NSA poses a clear and present danger to every individual. NSA considers itself at war with the entire world, including US citizens (and even its own employees).

Recently four former operators with experience in the US "signature drone strike" program came forward to testify to the cruelty of the program, and the devastating effect it has on the psyche and morals of the often young operators who press the buttons and watch the aftermath of the explosions on their video monitors, as they sit on the other side of the world from conflict zones in Syria, Iraq, Pakistan, Afghanistan, and Africa.

https://theintercept.com/2015/11/19/former-drone-operators-say-they-wer…
Former Drone Operators Say They Were “Horrified” By Cruelty of Assassination Program
Murtaza Hussain
19 Nov 2015

> U.S. DRONE OPERATORS are inflicting heavy civilian casualties and have developed an institutional culture callous to the death of children and other innocents, four former operators said at a press briefing today in New York...
>
> The killings, part of the Obama administration’s targeted assassination program, are aiding terrorist recruitment and thus undermining the program’s goal of eliminating such fighters, the veterans added. Drone operators refer to children as “fun-size terrorists” and liken killing them to “cutting the grass before it grows too long,” said one of the operators, Michael Haas, a former senior airman in the Air Force. Haas also described widespread drug and alcohol abuse, further stating that some operators had flown missions while impaired.

We should applaud the quartet for mustering the courage to come forward openly (following the Snowden model), even while condemning the war crimes they helped to commit on behalf the USG.

War crimes must be punished, and we should work tirelessly to seek justice. But we must focus on the leaders who ordered the strikes, not the low level operatives. On the modern Westmorelands rather than the modern Calleys. We must bring to justice people like John Brennan, Keith Alexander, Dick Cheney and two US Presidents. It might take time, but there is no statute of limitations on mass murder.

If more current and former insiders with direct knowledge of these crimes come forward to speak out against this aerial genocide, it will take less time to achieve justice for the murdered and the maimed.

victorhck

December 01, 2015

Permalink

> are you trying to deanonymize the hidden service developer that wrote this? :) We have several of them

It's wonderful that Tor is "giving HS some love". Another area where it seems that Tor could work wonders is in providing tools which resist stylometry attacks, against which posters currently appear to be defenceless.

I'd love to see Rachel work for Tor rather than DARPA, by providing a tool in TB which is modeled on the gedit spellchecker and which simply suggests substituting more common synonyms for rare words. (The spellchecker already "Americanizes" the spelling of English words, which might provide brits with a bit of extra entropy.)

Things like that should be easy to code. Much harder but even more valuable would be tools which "blandify" sentence structure, grammatical quirks, contractions and other punctuation characteristics, etc.

victorhck

December 04, 2015

Permalink

Not sure where to ask, but I am new to Tor and I have a question. How is it that after I open the Tor browser and create a new identity and verify that I am going through an exit node that is not american that when I check the exit node again it has some how switched to an american exit node? Hope that makes sense.

Tor changes your path for you automatically every so often, to make sure that you don't build up too much of a profile from the perspective of any particular exit relay. That is, we focus on the anonymity side, rather than the "letting you choose which country you appear to be coming from" side.