
The New York Times Is Now Available as a Tor Onion Service - alecmuffett
https://open.nytimes.com/https-open-nytimes-com-the-new-york-times-as-a-tor-onion-service-e0d0b67b7482
======
blfr
And they're using an Extended Validation certificate from DigiCert for it

    
    
        CN = nytimes3xbfgragh.onion
        OU = Technology
        O = The New York Times Company
        Object Identifier (2 5 4 15) = Private Organization
    

along with some other addresses

    
    
        DNS Name: nytimes3xbfgragh.onion
        DNS Name: graylady3jvrrxbe.onion
        DNS Name: *.graylady3jvrrxbe.onion
        DNS Name: *.dev.graylady3jvrrxbe.onion
        DNS Name: *.stg.graylady3jvrrxbe.onion
        DNS Name: *.nytimes3xbfgragh.onion
        DNS Name: *.api.nytimes3xbfgragh.onion
        DNS Name: *.api.dev.nytimes3xbfgragh.onion
        DNS Name: *.api.stg.nytimes3xbfgragh.onion
        DNS Name: *.blogs.nytimes3xbfgragh.onion
        DNS Name: *.blogs.stg.nytimes3xbfgragh.onion
        DNS Name: *.blogs5.stg.nytimes3xbfgragh.onion
        DNS Name: *.dev.nytimes3xbfgragh.onion
        DNS Name: *.dev.blogs.nytimes3xbfgragh.onion
        DNS Name: *.newsdev.nytimes3xbfgragh.onion
        DNS Name: *.prd.nytimes3xbfgragh.onion
        DNS Name: *.sbx.nytimes3xbfgragh.onion
        DNS Name: *.stg.nytimes3xbfgragh.onion
        DNS Name: *.stg.blogs.nytimes3xbfgragh.onion
        DNS Name: *.stg.newsdev.nytimes3xbfgragh.onion
        DNS Name: www.bestsellers.nytimes3xbfgragh.onion
        DNS Name: www.homedelivery.nytimes3xbfgragh.onion

~~~
JoshTriplett
Sometimes I wonder if it's a good idea to brute-force these kinds of "vanity"
onion prefixes. Take a look at the addresses used in
[http://incoherency.co.uk/blog/stories/hidden-service-
phishin...](http://incoherency.co.uk/blog/stories/hidden-service-
phishing.html) ; they brute-forced the same prefix with a different suffix.
Would anyone really notice?

~~~
chrisfosterelli
If they didn't use vanity names, then people would only remember the
first/last few random characters and the phishing scheme could very well still
work, just it'd be less readable for visitors. I don't think we can assume
that if all the characters were random they would remember them all better.

~~~
JoshTriplett
I don't think people would remember them _better_ if completely random.
Rather, I think if they're completely random, people might correctly assume
they can't, and remain appropriately skeptical; if they include a vanity
prefix, people seem likely to remember the vanity prefix and somewhat less
likely to pay attention to the rest.

------
jameskegel
This may not be the whole solution but it is a step in the right direction.
Kudos to NYT for attention to this subset of readers.

~~~
belorn
It is. Overlay networks has a very expensive overhead, but it is one of the
few ways that networks can be updated to modern views on security threats and
privacy without getting ISP to change their hardware and software. I am in
particular hopeful that we might see a future where tor will simply be a
available tool in the general network stack, enabling private end-to-end
without exist nodes.

~~~
jerheinze
> Overlay networks has a very expensive overhead

Single onion services are a thing now for quiet some time actually:
[https://web.archive.org/web/20161219230314/https://blog.torp...](https://web.archive.org/web/20161219230314/https://blog.torproject.org/blog/whats-
new-tor-0298) (had to use archive.org since images are broken on their blog
currently)

------
icc97
This is a great thing. Tor wants to encourage people to use tor as a normal
browser so it's harder to track individuals using tor.

Handy graph for anyone curious about the benefits of Tor [0]

[0]: [https://www.eff.org/pages/tor-and-https](https://www.eff.org/pages/tor-
and-https)

------
nobodyorother
Does the onion service still serve the same advertisements their website and
mobile app do?

If so, they're leaving their users-who-want-to-stay-relatively-anonymous open
to attack via the advertisement vector. Members of that group would be
considered high-value targets simply due to their anonymity desires.

I can't see the number of daily users being large enough that they'd lose
significant profit by closing that attack vector. Hell, if there was a way to
pay NYT enough to disable ads on all their services, I'd do it.

~~~
system33-
Tor Browser isolates cookies and other browser state into buckets based on URL
bar domains.

~~~
jerheinze
... i.e. first party isolation, one can read more about it on the Tor Browser
design document:
[https://www.torproject.org/projects/torbrowser/design/](https://www.torproject.org/projects/torbrowser/design/)

~~~
milofeynman
How can I get first party isolation in regular chrome or firefox? That is
exactly what I've been imagining/wanting since Firefox announced their new
container prototype.

~~~
jerheinze
Thankfully Mozilla works with the Tor Project so that Tor Browser patches to
Firefox get uplifted to mainline Firefox, you can read more about those
efforts here:
[https://wiki.mozilla.org/Security/Tor_Uplift](https://wiki.mozilla.org/Security/Tor_Uplift)
And the Tor Uplift tracker:
[https://torpat.ch/uplift](https://torpat.ch/uplift)

In this case the relevant preference is privacy.firstparty.isolate = true.
Another worth pointing out pref is privacy.resistFingerprinting = true.

~~~
milofeynman
Thank you. I am excited for all the ways this is going to break the web for
me, but this is exactly what I wanted. Maybe someday this will be on by
default for everyone. Can you imagine?

------
schwag09
Mozilla is also currently matching all Tor donations:
[https://donate.torproject.org/pdr](https://donate.torproject.org/pdr)

Consider donating!

------
iandanforth
Will this help people in China at all? From an article I ready a while back it
seemed like Tor has been defeated there.
([https://www.technologyreview.com/s/427413/how-china-
blocks-t...](https://www.technologyreview.com/s/427413/how-china-blocks-the-
tor-anonymity-network/))

~~~
milofeynman
That article is from 2012. It's a constant battle, which has changed a LOT in
5 years.

[https://blog.torproject.org/breaking-through-censorship-
barr...](https://blog.torproject.org/breaking-through-censorship-barriers-
even-when-tor-blocked)

[https://www.torproject.org/docs/pluggable-
transports](https://www.torproject.org/docs/pluggable-transports)

------
conductor
What's the point of making it available in the Tor network if their onion site
includes a script from www.googletagmanager.com (or an "iframe" if scripting
is disabled) thus making it significantly less anonymous?

Onion websites should be isolated and should not initiate any connections to
vanilla internet.

Edit: it also loads scripts from www.google.com, tags.bluekai.com,
cdn.optimizely.com...

------
nottorp
Hmm don't you have to pay to access the full newspaper? How does that mix with
Tor anonymity?

~~~
greiskul
Haven't tested to see how they are doing, but that's kinda orthogonal to using
tor. Standard cryptography like https uses is meant so any eavesdroppers don't
know WHAT you are talking about. But they still know that Alice is talking
with Bob. Onion routing, that tor uses, is meant to so eavesdroppers also
don't know who is talking to whom. But that's on the eavesdroppers part. If
Alice and Bob are talking completely privately, it's completely fine if they
are exchanging all the information they want between themselves. The big idea
is that attackers don't know what you are doing.

Tor can also hide where Bob's servers are, but not sure if the New York Times
would need that bit.

~~~
nottorp
Ah right - i was thinking of hiding from the US government, which can get the
identity of subscribers directly from NYT.

I forgot there are other governments too... shame, I'm not even from the US.

------
4684499
I don't see the point.

A hidden service is set for information can not be safely presented on the
public Internet. Like what The Daily Stormer did.

If one just wanted to bypass blocking or hide himself from evil third parties,
he could just use tor browser to open NYT's regular domain instead of the
hidden service domain, no?

~~~
Ajedi32
Onion services are faster on Tor, since you aren't limited by the bandwidth of
the exit nodes.

There are also some security benefits, since connections to hidden services
are automatically encrypted and authenticated, no HTTPS or trust in
Certificate Authorities required (though HTTPS with EV certs can still be
useful for identification purposes).

------
ape4
The url is a bit hard to remember.
[https://www.nytimes3xbfgragh.onion/](https://www.nytimes3xbfgragh.onion/) Is
there a directory of .onion sites? (with an easy .onion url)

~~~
Gaelan
There are no “easy” onion URLs. They are essentially random (hash of a key
iirc). It’s possible to generate random URLs until you get a prefix you like,
but the time it takes increases exponentially with length of the desired
prefix.

~~~
comboy
I wonder why namecoin addresses are not a part of the tor yet. Onion urls
should be treated more like IPs.

~~~
jerheinze
It's in their works, see their proposal 279:
[https://gitweb.torproject.org/torspec.git/tree/proposals/279...](https://gitweb.torproject.org/torspec.git/tree/proposals/279-naming-
layer-api.txt)

As well as this blog post: [https://blog.torproject.org/cooking-onions-names-
your-onions](https://blog.torproject.org/cooking-onions-names-your-onions)

See also this ticket for following the progress:
[https://trac.torproject.org/projects/tor/ticket/10747](https://trac.torproject.org/projects/tor/ticket/10747)

------
spodek
Does anyone know why they posted this story through Medium?

~~~
mattdotc
TimesOpen is an engineer-driven blog. Its previous incarnation was self-hosted
on a WordPress stack (separate from our main CMS), but for various reasons it
was decided to re-platform.

There were many discussions before settling on Medium and alternatives were
considered (such as dogfooding our own CMS). We have a lot of work in-flight
to modernize and simplify our publishing stack, and the timing wasn't right to
rely on internal tools to publish a new blog.

~~~
vintageseltzer
How widely is WordPress being used at NYT today? Seems like it was used a lot
about five years ago but don’t see it much anymore.

------
Ajedi32
Is there a search engine or other convenient discovery mechanism for Onion
services?

I know DuckDuckGo has their own hidden service, but it seems that site only
returns results from the regular internet, not from other hidden services.

~~~
zamber
> hidden services

I think you responded to your own question.

Besides that there are lists of onion services. Apparently there are also
search services like [https://ahmia.fi/](https://ahmia.fi/)

~~~
nathancahill
Although there's a risk to using onion directories, since you have to trust
that the hash they give you for the New York Times for example, is actually
the real hash. It's easier to spoof onion hashes than domain names since
domain names are more well known. You'd hopefully catch that you're connecting
to nytim3s.com, not so much nytimes3xbfgra3h.onion.

~~~
Ajedi32
EV certs can help with this to some extent. For example, the New York Times is
using an EV cert with the organization name "The New York Times Company" for
their hidden service. So as long as you trust the CA system, you can be
certain that you're talking to a server operated by _The_ New York Times, and
not just a copycat.

~~~
nathancahill
Yes, but EV isn't that common on Tor. How would I distinguish Dread Pirate
Roberts' Silk Road from FBI's Silk Road in a Tor online directory?

~~~
dragonwriter
Well, obviously EV is less useful [0] for services where the host’s anonymity
is a key part of the reason the server is on Tor.

But for services on Tor that are fine with being identified but who wish there
users to be opaque to third parties it seems to have some value.

[0] without a radically different CA infrastructure which has no chance of
getting preloaded into browsers.

------
RustyRussell
Tried to show my support by subscribing over Tor, unf:

    
    
        This action is not supported over Onion yet, sorry.
    

Which kind of makes sense, since you were probably about to ask my CC info,
but still...

------
Illniyar
Err... does the tor site still have the 10 views a month for free limit? Are
tor users supposed to subscribe to NYT - that will surely blow through any
privacy you hope to achieve.

~~~
detaro
See this subthread
[https://news.ycombinator.com/item?id=15567778](https://news.ycombinator.com/item?id=15567778)

~~~
Illniyar
Thanks

------
forapurpose
I'm seeing a different page at the Tor address than at the regular address.
The layout is different:

[https://www.nytimes3xbfgragh.onion/](https://www.nytimes3xbfgragh.onion/)

[https://www.nytimes.com/](https://www.nytimes.com/)

------
sidcool
What would be the advantage here?

~~~
mileycyrusXOXO
From the /r/tor thread System33 posted a comment[0] originally by Alec Muffet
explaining why Facebook set up a TOR service, which may answer some of your
questions:

Why would anyone run a legal onion service?

Thanks Alec Muffett (OP) for the following summary copied from this comment

Understandably folk tend to think "Anonymity!" when talking about Tor Onions,
but in rolling out the Facebook onion we established several clear benefits:

1\. better and safer experience for people accessing over Tor: no interference
by exit nodes, no bandwidth-contention for exit nodes, no use of exit nodes at
all.

2\. "good neighbour" \- reciprocally, popular sites can unload themselves from
eating up scarce exit-node bandwidth.

3\. "a peace offering" \- people (continue to) use Facebook over Tor; 3 years
ago we saw 500,000/month, more recently ~1 million. Overwhelmingly we found
(through measurement and assessment) that people using Facebook over Tor were
ordinary folk wanting to do ordinary things. especially in times of political
crisis. Providing a metaphorical "olive branch" showed that we value their use
of the site.

4\. Discretion & Trust. Onion Sites are considered to be about "Anonymity",
but really they offer two more features: Discretion (eg: your employer or ISP
cannot see what you are browsing, not even what site) and trust (if you access
facebookcorewwwi.onion you are definitely connected to Facebook, because of
the nature of Onion addressing; no DNS or CA shenanigans are applicable.)

[0]:
[https://www.reddit.com/r/TOR/comments/792mfr/the_new_york_ti...](https://www.reddit.com/r/TOR/comments/792mfr/the_new_york_times_is_now_available_as_a_tor/doymov3/)

~~~
cJ0th
Is this mainly intended for people from non-western countries who need a
channel for free speech? Because apart from that I see no point in FB offering
an onion service. If anonymity, discretion and trust are what I am looking for
than surely FB itself is one of the least appropriate platforms for me.

------
jsfreedman
For a publication that openly supported the Iraq war and all the suffering
that entailed for innocent civilians, its kinda funny that they're suddenly
all concerned about people's rights.

------
patrickaljord
The NYT is so pro-establishment it is probably the last site on Earth that
would have its domain taken away from them.

~~~
forapurpose
The Times has been blocked repeatedly, maybe even semi-permanently, in China.
It gets blocked in other countries too, IIRC.

In the U.S., the Times published Chelsea Manning's leaked State Dept
documents, it broke the story on Hilary Clinton's email sever, it reported the
Wikileaks' DNC emails for months up to the US presidential election, and now
it aggressively goes after Trump. While it's imperfect, I don't see which part
of the establishment it so strongly supports.

~~~
serf
_> While it's imperfect, I don't see which part of the establishment it so
strongly supports._

The State Department. NYT is vital in fabricating the history of conflicts and
internal problems that have ever affected the United States.

to name a few : Syria, Iraq, Afghanistan, the War on Drugs, the Indochina
wars, Cuba, Mexico, outside-of-country extradition, continual abuse and
outright breaking of UN laws and sanctions, etc.

That's not even mentioning their (the NYT) history of character assassination
with regards to civil rights leaders, activists, authors, speakers, and
alternative thinkers.

...OR you get the Chomsky treatment, and they pretend that you don't exist for
a few decades.

I didn't bother with citations, there are plenty to read through with just a
cursory search engine query, but since I already invoked the name of the
beast, i'll let him tell you about NYT[0].

NYT's is systematically biased in who or what it chooses to illuminate for the
public to digest. Don't be surprised when they do good by you -- it's all
character building -- just like this news that they're embracing tor.

Boy, aren't they just keen!

[0]Noam Chomsky: The New York Times is pure propaganda:
[https://www.salon.com/2015/05/25/noam_chomsky_the_new_york_t...](https://www.salon.com/2015/05/25/noam_chomsky_the_new_york_times_is_pure_proganda_partner/)

------
thatonechad
Not a huge fan of the NYT but this is pretty cool!

~~~
nathancahill
Careful, you'll cut yourself on that edge!

------
justinzollars
Awesome!

------
pbarnes_1
Can someone explain... why?

~~~
grzm
From the article:

> _" Some readers choose to use Tor to access our journalism because they’re
> technically blocked from accessing our website; or because they worry about
> local network monitoring; or because they care about online privacy; or
> simply because that is the method that they prefer."_

~~~
cJ0th
That's still a bit of a non answer. More to the point: Why does a mainstream
news outlet care about this small group of people?

~~~
grzm
What's your working definition of "mainstream news outlet"? I can't think of a
reasonable one that precludes them from broadening their reach. And given
their size, they are more likely to have the resources to do so.

Also, there are large populations where network monitoring and/or content
restrictions are part of everyday life. The New York Times experienced this
directly with respect to their iOS app in China.

[https://www.nytimes.com/2017/01/04/business/media/new-
york-t...](https://www.nytimes.com/2017/01/04/business/media/new-york-times-
apps-apple-china.html)

Edit to add: To turn it around, why _shouldn 't_ the NYT do this? That isn't
snark: I'm interested in hearing substantial reasons for the skepticism
implicit in 'pbarnes_1 original question. Granted, I haven't read _all_ of the
comments for this submission, I haven't seen any that convincingly argue this
isn't a useful thing.

~~~
cJ0th
> What's your working definition of "mainstream news outlet"?

A news outlet with a "one size fits most" attitude. That is, they offer a
product which caters to people who could be described as "average". Typically
companies focus their energy only on (potential) customers, not those who
aren't a good fit for the product in the first place. There probably are more
profit-promising people out there for the NYT than those who are somewhat
crypto-nerds. They don't like clicking ads, some may even feel uneasy using
typical payment methods to buy a subscription.

> Also there are large populations where network monitoring and/or content
> restrictions are part of everyday life.

yeah, that's reasonable.

------
plg
is it still paywalled on the onion service?

------
ringaroundthetx
Ah, so disagreement with an administration is what will make everyone
eventually to TOR

Nothing to hide except when the wrong guy gets in power then you feel naked

~~~
matt4077
Do you _really_ think the NYT does this out of some specific fear?

And if yes, does their adoption of https in 2014[0]\ then imply that they were
equally suspicious of the previous administration?

[0]: [https://open.blogs.nytimes.com/2014/11/13/embracing-
https/](https://open.blogs.nytimes.com/2014/11/13/embracing-https/)

~~~
ringaroundthetx
Not the NYT itself, no

------
rayiner
Comical attempt to give Street cred to the NYT.

~~~
eggpy
Comical how? Check out their tech blog[0]. I'd venture a guess that they are
the most technically adventurous news site, if not one of the more open
corporations around in regards to trying new technology and writing about the
experience. A lot of what they have to say is pretty interesting.

[0] - [https://open.nytimes.com/](https://open.nytimes.com/)

~~~
b1gtuna
I agree. NYTimes has led with technical prowess the past a few years.

------
Bishonen88
So is it now "guaranteed", that TOR is secure? And how many "guarantees" does
one need in order to be "guaranteed" security whilst browsing?

[...]and they provide additional guarantees that readers are connected
securely to our website.[...]

~~~
gressquel
Its not secure. "Everyone" knows that. Everytime a drug market is taken down
or a pedophile ring is busted, the investigators from FBI always claim it was
some dubious mistake from the admin whic lead to it. But we all know they have
discovered a vulnurability in the TOR protocol but won't disclose it.

Safe browsing guys

//edit: if you want extra security. Launch TOR from a remote desktop. And I am
not talking about the ones you buy from known VPN providers like NordicVPN or
amazon web services.

~~~
staticassertion
I guess I'm not everyone. I'd bet that the majority of the 'busts' are due to:

a) Infiltrating chats where people are more likely to share sensitive
information / trust the people they're talking to

b) Poor configurations/ setups on either the client or server (client browser
bundle has noscript, but it's not on the strictest settings, js is enabled
iirc)

c) Exploitation of client or server due to out of date versions, things like
that

Historically I think it's always fallen into one of these cases - and not just
what the FBI etc say publicly but we've seen these exploits ITW. I wouldn't be
surprised if the NSA and other agencies have the power to deanonymize TOR
users but if it were trivial why is the majority of TOR traffic still going
towards illegal content? Last I read (a paper a year ago) TOR is still
primarily all about drugs, followed by child pornography (mostly drugs though
iirc). If they can track all of these people by breaking TOR completely... why
don't they?

~~~
colejohnson66
^ This.

Remember, Silk Road was finally found and taken down because Ross Ulbrich
messed up his OpSec on a Stack Overflow question.

~~~
0xJRS
Thats really interesting, does anyone have a link to an explanation about
this?

~~~
colejohnson66
Wow. That was 4 years ago?

Here’s a Reddit discussion:
[https://www.reddit.com/r/webdev/comments/1nln17/the_stackove...](https://www.reddit.com/r/webdev/comments/1nln17/the_stackoverflow_question_that_busted_the_silk/)

Basically, he posted to stack Overflow using his own name and email address
with code that was Silk Road was using. He quickly changed his username, but
it was too late.

