
MoreOnionsPorfavor: Onionize your website and take back the internet - worldofmatthew
https://blog.torproject.org/more-onions-porfavor
======
onli
So let's say I run a few websites and do support the idea. I read that article
and think "I should setup an .onion version of my site and then point to
that". The article points to [https://community.torproject.org/onion-
services/setup/](https://community.torproject.org/onion-services/setup/) \-
and I'm immediately lost. Setup a local webserver? Why would I need that? The
documentation mentions that I have to configure the webserver correctly, but
offers no details about that whatsoever. So that's not a good start.

[https://community.torproject.org/onion-
services/advanced/oni...](https://community.torproject.org/onion-
services/advanced/onion-location/) works better, it shows the configuration,
but assumes there is already an .onion address and does not point to
documentation how to set it up.

Hey, I know documentation is hard. But this could be improved a lot. By now I
figured out that I'd have to install Tor on the server (not my machine, as the
docs stated), find the torrc (the documentation has to mention where it is),
point to the localhost port active of the webserver, the .onion address is
autogenerated (so this will be an unreadable mess?) and can be taken from a
file the tor software generates.

And this:

> _We 're not going to cover how to set up a web server here. If you get stuck
> or want to do more, find a friend who can help you. We recommend you install
> a new separate web server for your onion service._

Just cut it out. I'm actually lucky enough to have friends that could help me
with this, but what if I hadn't? Cover in the documentation what needs to be
done, or at the very least don't show an attitude about it.

~~~
driverdan
Documentation and ease of setup have long been the biggest weaknesses of Tor.
The browser is easy but setting up a server or any of the infrastructure
isn't.

The first time you setup a server or a relay expect it to take half a day to a
full weekend.

~~~
0xggus
The Tor community improved a lot the Tor Relay Guide in the last two years.
Actually now you can easily setup a relay following the instructions:
[https://community.torproject.org/relay/setup/](https://community.torproject.org/relay/setup/)

And if you're an Ansible user, you will enjoy Nusenu's ansible-relayor:
[https://github.com/nusenu/ansible-relayor](https://github.com/nusenu/ansible-
relayor)

~~~
driverdan
You're right, those docs are a lot better than the last time I looked.

I forgot why exactly I didn't use ansible-relayor last time I setup relays but
I had a reason. I'll try to use it next time I deploy a batch of relays.

------
neilv
I tried this feature of Tor Browser, using the first example I saw in TFA
(www.propublica.org)... and was surprised to see that the .onion equivalent of
the www.propublica.com home page... tried to make requests to third-party
non-.onion cross-site surveillance trackers.

google.com/recaptcha connect.facebook.net static.chartbeat.com ak.sail-
horizon.com pi.pardot.com htlbid.com

A separate concern, besides this choice of example, is why ProPublica is
_normally_ helping to leak the identities and intimate browsing behavior of
people who visit their site, to some of the most powerful and invasive
corporations, given this mission:

> _ProPublica is an independent, nonprofit newsroom that produces
> investigative journalism with moral force. We dig deep into important
> issues, shining a light on abuses of power and betrayals of public trust —
> and we stick with those issues as long as it takes to hold power to
> account._

~~~
corty
To be safe one should disable JavaScript and most if not all third-party
requests on .onion sites. Thats why TorBrowser always includes NoScript.
Unfortunately in an unsafe default configuration that allows too much.

So overall, I guess this move isn't intended to protect the masses but provide
more cover traffic mainly.

------
glenneroo
I'm not sure how relevant this is to running your website on the "darknet",
but a potential warning for future Tor service operators: I ran a TOR relay
for about a year, eventually even ordering a static IP for 5€/month. One
random day, I was unable to log into my online banking, receiving some obscure
error code. After digging around and finally contacting the bank, they
referred me to some "IP protection service" in the UK, which had put me on a
blacklist for unknown reasons (they don't tell you the reason for security
reasons, but there was mention of something "proxy"). After submitting
multiple requests to remove me from their blacklist (all automated online with
no option to talk to a human), I finally caved in and shut down my relay.
After doing that, combined with waiting a few days, while also continually
resubmitting my removal request, they marked my IP as "clean", allowing me to
login to my bank again. The whole process took about 6 weeks, and neither my
bank nor the UK service provided any assistance along the way. Fun times.

I would love to run a TOR relay again but I'm a bit paranoid now.

~~~
caymanjim
Why on earth would you run a Tor node on an IP that you use for any personal
transactions? This isn't surprising in the least.

~~~
viraptor
I think you're confusing a relay and an exit node here. Pretty much everyone
using Tor runs a node and for virtually everyone it's on IP also used for
personal transactions. There are silly services which take every tor node as
suspicious. They're wrong, but it doesn't matter if you get banned.

~~~
glenneroo
I also considered bringing up that point, but then I actually looked it up[0]:

> Tor relays are also referred to as "routers" or "nodes." They receive
> traffic on the Tor network and pass it along. Check out the Tor website for
> a more detailed explanation of how Tor works.

[0]: [https://www.eff.org/torchallenge/what-is-
tor.html](https://www.eff.org/torchallenge/what-is-tor.html)

~~~
yjftsjthsd-h
How does that change anything? The point is that a relay isn't an exit node,
so there's no reasonable reason to block them.

~~~
saurik
You don't seem to understand what the terminology is... exit relays are
relays.

> There are three kinds of relays that you can run in order to help the Tor
> network: middle relays, exit relays, and bridges.

~~~
viraptor
There's dictionary definition and there's typical usage. When people say relay
node, they typically don't mean exit nodes. Not 100% correct, but the
assumption is common.

------
isaack
CloudFlare had a much more elegant solution: the Alt-Svc HTTP header [1]. It
is entirely transparent to the user. Security is guaranteed because it uses
the original SSL/TLS certificate for exchange (that is, on top of the usual
safety guarantees provided by a Tor hidden service).

Sadly they stopped doing that a while ago [2]. If anyone has insider knowledge
about the reason behind, I would be really interested to hear about it.

[1]: [https://blog.cloudflare.com/cloudflare-onion-
service/](https://blog.cloudflare.com/cloudflare-onion-service/)

[2]: [https://community.cloudflare.com/t/tor-alt-svc-header-not-
be...](https://community.cloudflare.com/t/tor-alt-svc-header-not-being-
sent/113222)

~~~
cypherpunks3
Cloudflare is still using the Alt-Svc HTTP header. Use Ctrl+Shift+J to see the
'Browser Console' which contains logs in the form "Alternate Service Mapping
found: [https://blog.cloudflare.com:-1](https://blog.cloudflare.com:-1) to
[https://cflaresuje2rb7w2u3w43pn4luxdi6o7oatv6r2zrfb5xvsugj35...](https://cflaresuje2rb7w2u3w43pn4luxdi6o7oatv6r2zrfb5xvsugj35d2qd.onion:443").

Cloudflare only sends the header to clients it detects as Tor Browser. If you
have tweaked your config or are running an older version, it may not detect
correctly. Even if it had previously worked.

This technique is not "better than" the "Onion-Location" approach. They
complement well. Use the 'Alt-Svc' header for all users with Tor Browser's
user agent and send "Onion-Location" to all users. If a user decides to opt
for the .onion address, they can. But they don't have to.

------
daenz
I'm pro decentralizing the internet, but these movements really need some
marketing chops. ".onion" TLD? (Yes I know it has been around for awhile)
Think of how a normal person will view a ".onion" domain name. It's
nonsensical to the uninitiated.

~~~
jmkb
Last century "network" and "web" were metaphors that meant nothing to the
uninitiated -- I feel that ".onion" has a shot.

~~~
ciarannolan
"Web" definitely meant something to people as a metaphore, for long before the
internet (ex. "web of lies").

"The 'internet' is like a spider's web, but each point in the web is a
different computer."

vs

"Tor is like an onion, where each layer of the onion represents a computer
acting like a relay, in a giant network of computers, which your traffic is
routed through....."

~~~
nsl73
There is a scene in Shrek where he compares himself to an onion because he was
emotional layers.

~~~
warent
Shrek is an old meme and onions are stinky. Do you think that's a recipe for
this to catch on by the next generation? It's a miracle .com worked at all,
and I wouldn't hold my breath for a second miracle.

~~~
2038AD
> Shrek is an old meme and onions are stinky. Do you think that's a recipe for
> this to catch on by the next generation?

Yes, older members of Gen Z have already been enjoying Shrek "post-ironically"
for years. Younger members of the generation are editing together clips of
teenagers from the 00s as though it were some bygone halcyon era. Whether we
like it or not the trends of reference and farce seem to be accelerating.

------
mark_l_watson
I am tempted to onionize my site for political (if that is the correct word)
reasons.

I am almost done reading The Surveillance Economy and it feels like almost an
obligation to push back. (Using ProtonMail, use a large leased server in
Germany at Hetzner for my routine work and writing, and using private browsing
tabs when I must use Twitter or Reddit.)

It looks like Onion domain hosting services are $5-$8/month, but going through
their checklist and making one of my VPSs approved would be educational.

~~~
zelly
> It looks like Onion domain hosting services are $5-$8/month

You don't need a special host. You just need to run Tor and connect to the
network.

~~~
Nextgrid
Running an Tor Hidden Service doesn't require a specific host. As far as I
know the traffic it generates will not be malicious. You only need to worry
about malicious traffic and Tor-friendly ISPs if you plan to run an exit node
(and at this point you need to consider the legal implications as well).

Furthermore if you are not hosting any illegal/objectionable content and don't
need to hide from law enforcement or state-sponsored attackers, a lot of the
security concerns around anonymizing the server no longer apply either.

------
Santosh83
In this context OnionShare
([https://onionshare.org/](https://onionshare.org/)) is an excellent program
that even non-technical people can use to either share files or even complete
static websites over Onion routing. The main advantage is you don't need to
grub around with Nginx, Apache and the Tor daemon manually setting everything
up.

~~~
cryo
OnionShare rocks: Tor hidden services are excellent for that purpose and
provide a decentralized alternative for cloud based apps.

What I love about them is also that it works in in tricky NAT situations where
WebRTC struggles.

My file manager "cryo" also uses Tor hidden services for signaling without a
central server to initiate peer-to-peer connections.
[https://cryonet.io](https://cryonet.io)

------
vitejose
I operate a few websites that host static content only. Is there any benefit
to setting up onion services for these sites? Or are onion services more
valuable for providing interactivity/logins?

~~~
danielheath
If the data might be subject to censorship or spying, yes - using an onion
service protects users from having info like “you read about STI treatment”
sold to their insurers.

------
atroche
Why haven't we seen a pay-for-use version of Tor yet? The network won't scale
unless exit and relay nodes are incentivized with value beyond warm-fuzzies.

~~~
yjftsjthsd-h
How would that work without killing the privacy angle?

~~~
hirako2000
Monero/zcash

------
brnt
I have (a few) static sites on places like Github Pages/netlify. How do I put
them under a .onion?

------
john4534243
Majority of the ISP's provide dynamic IP these days and getting static ip
costs significantly more money. If you have a low compute device like
raspberry pi running 24/7 which controls all the home network, then
connecting(ssh) to it over internet requires static ip. The other alternative
which does not cost money is setting up tor(which is pretty simple) and ssh
socks proxy on the client machines. This use case is pretty common which does
not involve privacy but very useful.

------
woofie11
I want a short HOWTO linked from this article.

~~~
MattGaiser
I would love to do this for my personal site. Not sure if I am willing to
spend 4 hours on figuring it out though.

~~~
clashmeifyoucan
I did it for my personal site, and it wasn't too hard, I personally didn't
have as much experience with nginx and stuff back then but if I were to set
one up now I feel I'd be done in under 30m complete with a vanity url.

------
shp0ngle
I remember, in 2014, Facebook started to be available on Tor, and people
speculated that there will be a wave of popular websites being offered on
Torspace.

Nothing came of this "wave", if I'm not wrong, right.

[https://en.wikipedia.org/wiki/Facebookcorewwwi.onion](https://en.wikipedia.org/wiki/Facebookcorewwwi.onion)

edit: and it seems down to me right now.

edit2: it works... but slower, than just going to regual HTTPS version with
Tor. Which makes sense, because it needs to hop more.

edit3: .... but it doesn't let me log in, as I am logging from "suspicious
location".

~~~
glenneroo
I still use Facebook via Tor quite often, even though it's barely usable -
loading anything takes between 3 and infinite seconds (i.e. never loads,
requiring multiple refreshes). I use it to let them know that people still use
it, with the hopes that they don't even remove it. I don't have this problem
with other Tor sites, so it leads me to believe they want to be able to
advertise it as "we offer this because we care" while making it nearly
unusable to the point that nobody will use it. It's very similar to the secure
chat feature, which they continually move deeper and deeper into menus, each
move progressively more difficult to find. They just yesterday enabled the new
"layout", and I can't even find the secure chat feature anymore, they either
buried it so deep or removed it entirely?

------
surround
What’s the advantage of accessing an onion service (as opposed to accessing a
normal https website over tor)?

~~~
t0astbread
I am not an expert but as far as I understand it's harder to do correlation
attacks when you're able to monitor network traffic when communication stays
inside the Tor network. Additionally, you're replacing (or extending) CAs with
Tor's public key cryptography for authentication and encryption.

Computerphile did an interesting video series on this!

~~~
moonchild
> replacing (or extending) CAs with Tor's public key cryptography

Which is good because CAs are useless; they're complete overhead. Back when EV
certificates meant something, they were marginally useful, but at this point,
we might as well just switch to a TXT record that validates domain ownership.
(Obviously, that doesn't protect against DNS MITM attacks, but that's a
separate issue.)

~~~
t0astbread
Oh you mean storing some data to cryptographically verify that a particular
server is associated with a domain? If I'm not mistaken, that's what .onion
addresses are.

I wonder if anyone has tried putting .onion addresses into DNS and have
clients treat them like address records...

------
lexicon0
I'm in charge of a security for a reasonable sized company. I generally
support the Tor project and the goals of having a surveillance free internet.

However - if an employee would install tor browser or use tor on a company
device, or a device attached to the company network, they would be fired
immediately. I would then refer them to law enforcement after conducting a
forensic audit.

Should you make your site only available via onion routing, or primarily
available on onion routing, all workplaces will immediately block access and
look at anyone who accesses with great incredulity

~~~
danShumway
I wasn't as active on the Internet during the initial rise of HTTPS, but I
wonder how many companies, schools, and public stores threw the exact same
fits back then when they realized there might be a world where they could no
longer MITM every web request that went across their routers.

I do remember the "kids who use Linux are hackers" arguments from schools;
arguments that still occasionally pop up on rare occasions. And even more
recently, I see the pushback from administrators and ISPs over encrypted DNS.

My instinct in this situation is that the "only criminals need privacy"
argument is probably evergreen, and that Tor probably isn't in a unique
position.

Of course, companies can choose what to install on their own devices, and they
can choose what software they'll allow to connect to their networks. The Tor
project changes nothing about employers' rights to control and monitor the
hardware that they issue. It's normal for workplace networks to have more
restrictions than ordinary networks.

Nevertheless, if (beyond those policies) your instinct is that anyone you see
using Tor is probably a criminal, then I'm not sure you can honestly claim
that you "generally support the Tor project and the goals of having a
surveillance free internet." A casual observer would be forgiven for thinking
that maybe the opposite is true, and you're terrified of a world where the
Internet can't be monitored -- particularly the ordinary, everyday Internet as
accessed by regular nontechnical people on their regular, everyday smartphones
and laptops.

~~~
lexicon0
There is no legitimate use for it in this context, and as such, every single
instance of it has been associated with a crime, mostly CSAM.

~~~
danShumway
> There is no legitimate use for it in this context

There's no legitimate usage for World of Warcraft on a work computer, and I'd
happily ban that from work computers. But I also wouldn't hop onto an
unrelated article for new players and imply that all of them were criminals.
The linked article never mentions work computers, it's talking to website
operators.

If your objection here is that you think Tor is inappropriate at this moment
in one specific work setting, then fine, but that's not really adding anything
to the conversation about whether or not general websites should be made
available over Tor. It's just unrelated FUD.

I want to be clear, the goal of Tor proponents is for everyone to be running
Tor (or something similar), and for most websites to be available over Tor by
default. People should be running Tor on their smartphones, on their home
laptops. Tor should be the default way that people share files with each
other, and the default way that people set up technical blogs, or even just
quick websites that show off pictures of their cat. The vision of the Tor
project is a world where Tor is normal and ubiquitous for regular, non-
technical people.

So unless your work policy bans all personal devices from your network,
creating an expectation that any smartphone that joins and boots up a Tor
browser automatically belongs to a criminal is contrary to the goals of the
privacy movement. Our goal is that every device and every website should be
private by default. Your network should be the exception, and it should only
have company-owned devices on it.

And of course it's fine if you disagree with that, you don't have to be a
privacy proponent. Lots of smart, reasonable people disagree with us about
what the balance is between security and privacy. But demonizing Tor users in
ordinary, everyday contexts is anti-Tor.

> or primarily available on onion routing, all workplaces will immediately
> block access and look at anyone who accesses with great incredulity

To go a step farther and suggest that making a website available over Tor
should automatically mean that people who visit it are suspicious -- that is
also anti-Tor and (I would argue) anti-privacy in general.

If I went into an interview for any company in any field offhandedly
mentioning that I ran a Tor website, and then had to field a bunch of
questions about whether or not I was a criminal, that would be a _major_ red
flag to me to avoid that company.

~~~
lexicon0
I'm adding my thought that hosting a website on Tor primarily, will make it
totally unavailable from many workplaces. Currently, Tor is not the place for
a site that doesn't _require_ an extremely high level of anonymity of access.

The network policy does ban all personal devices, in order to control what
connections originate from inside the network.

To be clear, I'm not demonizing Tor or Tor users. I like what the Tor project
wants to do, and I support it, but believing it will be allowed in many
corporate settings, in July 2020, is extremely naive. As I already mentioned,
there's no legitimate use case to allow this in a corporate setting.

