
Tor's Fall Harvest: The Next Generation of Onion Services - jerheinze
https://blog.torproject.org/tors-fall-harvest-next-generation-onion-services/#asn
======
nikcub
If you are looking for a practical use of hidden services: we use them as
ingress for Docker and K8 management.

You start a container that runs just tor with a config and can read the
routing endpoints from your config, or link to localhost:2375

HiddenServicePort <onion port> <host>:<port>

You setup HiddenServiceAuthorizeClient with stealth auth type and a list of
authorized clients.

You can lock your firewall rules down as the hidden service only requires
outbound to HTTPS.

On the client end you setup regular Tor with HidServAuth <onion address>
<auth-cookie>

With stealth auth other tor users won't see the serivce and port published
without the auth cookie

You can then use socat to bind the remote hidden service and port to a local
host and port:

socat tcp-l:127.0.0.1:2023,fork
socks4a:onionaddr.onion:localhost:23,proxyport=9050

You then have the remote ssh server available locally with no public
interfaces, no public ports, and an additional layer of confidentiality and
authentication

~~~
ynezz
> additional layer of confidentiality and authentication

and additional layers of attack surfaces

~~~
belorn
From a IT Security Assessment, what would those be and their associated risk
and impact factors?

One would naturally be the onion address. If they could break the 1024 bit RSA
key, they could hijack the name. Risk of this happening: very low. Impact:
massive especially outside the realm of tor.

Any additional risks you were thinking about? Backdoors in tor project?
Hardware malware specifically designed for tor (rather than than being
general)?

~~~
Ajedi32
I believe the main concern would be vulnerabilities in the Tor software
itself.

That said, I don't think there's any reason to believe Tor is any more likely
to be vulnerable than any other software in your stack. The project is open
source, and is very much written with a focus on security and privacy.

------
zaroth
Here's a question I have on this -- I've been eagerly awaiting the new
functionality to have onion addresses where using them doesn't reveal their
existence. So the address itself becomes a form of shared key.

But this opens another possibility of one-time addresses, and address
scalability. My question is, does network cost increase with number of
addresses? If peers on the network are using one-time addresses to form
circuits, will that scale fine?

Basically I am envisioning two people communicating via dedicated addresses
for their own use only. So a single key becomes a network channel to send data
to a specific peer. That "peer" could actually be many different devices, but
all ultimately connect to the same distributed application with a shared
state.

So basically onion addresses are usernames which also let you pipe data to
that user, right? How is this not the coolest thing ever?

~~~
asn_tor
Each onion service does increase network load but not anything super intense.

The use case you suggested should be possible. Also check out ricochet which
works with legacy onions for chat.

------
schoen
I decided this was just the right occasion to propose DV certificate issuance
for these names:

[https://cabforum.org/pipermail/public/2017-November/012451.h...](https://cabforum.org/pipermail/public/2017-November/012451.html)

~~~
asn_tor
Thanks Seth! That's great stuff :)

------
pault
The issue I've always had with onion addresses is that you can't remember
them, which means you need to keep a list of bookmarks saved locally
somewhere, which–if you're using tor to avoid prosecution–is pretty
incriminating. What's the solution?

~~~
nikcub
There is a pluggable name resolution proposal:

[https://gitweb.torproject.org/torspec.git/tree/proposals/279...](https://gitweb.torproject.org/torspec.git/tree/proposals/279-naming-
layer-api.txt)

You'd be able to run namecoin and other systems

edit: to add, I haven't yet completely bought into the new onion services. I
like a lot of the security improvements, but it is really going to depend on
how name resolution works and how authenticating endpoints will work for
users. Running a pluggable name resolution system means we can try out
different solutions and see which takes off organically and practically.

~~~
asn_tor
Yes indeed the naming issue is important and needs to be addressed. We are
currently pretty busy with stuff so we haven't even started implementing the
aforementioned proposal (or considered whether it's a good idea).

BTW check out this link for some survey results that point out that onion
length might not matter so much since the legacy onions were already
unrememberable: [https://lists.torproject.org/pipermail/tor-
dev/2017-Septembe...](https://lists.torproject.org/pipermail/tor-
dev/2017-September/012464.html)

Cheers and thanks for keeping the discussion fruitful :)

------
jstanley
> And finally from the casuals user's PoV, the only thing that changes is that
> new onions are bigger, tastier and they now look like this:
> 7fa6xlti5joarlmkuhjaifa47ukgcwz6tfndgax45ocyn4rixm632jid.onion. For more
> information on the nitty-gritty details, please check out our technical
> specification.

It's a shame they don't have a description for technical users. I'm more
interested than "bigger, tastier, and looks like this", but less interested
than 13000 words of specification.

~~~
dublinben
TL;DR of that change is that they've moved from a truncated SHA1 hash to
SHA3/ed25519/curve25519. For more detail, here's their own summary from the
technical specification:

    
    
       Here is a list of improvements of this proposal over the legacy hidden services:
    
       a) Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)
       b) Improved directory protocol leaking less to directory servers.
       c) Improved directory protocol with smaller surface for targeted attacks.
       d) Better onion address security against impersonation.
       e) More extensible introduction/rendezvous protocol.
       f) Offline keys for onion services
       g) Advanced client authorization

------
the_stc
Being undiscoverable is a big help. For our ancillary services, we're taken to
using Tor2Web to auth mode HS servers because some random domain is less
likely to look interesting for people to poke at. Publishing a .onion,
especially with some general-purpose software hosted on it screams that there
is something of interest there.

~~~
superkuh
Gotta be the change you want to see. None of my hidden service .onion sites
are anything "of interest". They're just electronics and radio hobby stuff
like the web has always had.

Put everything on Tor as a hidden service and eventually the stigma will go
away.

~~~
celticninja
Do you have a guide to doing that? I would love to host some stuff on Tor just
because.

~~~
jstanley
Here you go: [https://www.torproject.org/docs/tor-hidden-
service.html.en](https://www.torproject.org/docs/tor-hidden-service.html.en)

It's dead easy. Setup a web server basically like normal, but make sure it's
listening only on loopback if that's important to you.

Then install tor, and add a couple of lines to the torrc and restart tor.

    
    
        HiddenServiceDir /usr/local/etc/tor/hidden_service/
        HiddenServicePort 80 127.0.0.1:8080
    

The keypair will be generated and you'll find the onion address in
/usr/local/etc/tor/hidden_service/hostname, and it'll forward all traffic to
127.0.0.1:8080.

You can run as many hidden services as you like on the same tor instance, with
different onion addresses, and forwarding to different places.

~~~
dmix
How have you found long term maintenance of running these services? ie,
running into random breakage and spending time debugging the system vs an
nginx box or something... Is it set-it-and-forget-it type of system?

I've always wanted to set up onion addresses but I'm always wary to open up a
new bag of worms for my personal projects.

The fact it sounds so easy is encouraging.

~~~
jstanley
Yes, it's set-and-forget. It still runs nginx, it's basically the same as
running a clearnet site.

I've not experienced any random breakages.

------
amingilani
I used to use Tor to bypass censorship on pr0n in my country and ended up
trying to run a hidden service for fun. My biggest peeve with was the domain
name. I mean, sure I understand why it isn't human readable but then there are
so many ways to counter that. We've got the blockchain and we have the IPFS
way to handle these things too.

I'm hoping at some point blockchain DNS systems are adopted by mainstream (or
niche in case of Tor) vendors. It would make it so much much easier to name
onions.

~~~
amelius
How fast/convenient is Tor for downloading large files, like video (e.g. via
Bittorrent)?

PS: It seems that Bittorrent over Tor is a bad idea, [1].

[1] [https://blog.torproject.org/bittorrent-over-tor-isnt-good-
id...](https://blog.torproject.org/bittorrent-over-tor-isnt-good-idea)

~~~
devrandomguy
In Qatar, which has a national firewall, I was able to use Tor to browse
torrent sites, and then use a regular bittorrent client to fetch the contents
of the magnet links (encrypted connections only). That worked great for the
few years that I was there. The Qatari internet was a fair bit faster than
what I am used to from Canada, about 30 - 50 MB/s at max torrent.

~~~
Teapot
Worth trying Tribler. Seems it's Torrent traffic inside its own Tor network.
[https://en.wikipedia.org/wiki/Tribler](https://en.wikipedia.org/wiki/Tribler)

------
wybiral
I have mixed feelings about Tor. As a proxy to hide your IP address it makes
perfect sense to me.

But what's the end result of hidden services?

I want to be anonymous sometimes but I can't think of a time when I want the
host of a service I use to be anonymous.

In most situations their identity is actually important to me. I want to know
the source of news, to trust that I'm sending a message to the right person,
to trust that I'm not relying on a site run by some kid in her parents
basement.

And I know that legitimate sites can get certs for onions these days (like
facebook)... But doesn't that defeat the original purpose of running a hidden
service if the purpose is to hide the owner?

~~~
azernik
Tor hides the identity of the service provider _to third-party eavesdroppers_.
You might know someone and have gotten the onion address of a file upload
server from them, but not want the government or your ISP to know who you're
talking to.

It also hides the a service provider's physical location (well, their IP
address and hence location in the network graph) from even a user that knows
their identity. You might know that I am an investigative journalist you're
trying to send information to - or, given the origin or Tor, maybe you're a
spy and you know I'm your handler - but I don't want to give away my location.

There are also a lot of use cases where the user doesn't care _that_ much
about knowing who the service provider is, and the service provider cares _a
lot_ about hiding their identity (enough so that they would not provide the
service if they could not be anonymous).

For the example of, say, political commentary - often what you care about
there is less the real-world identity of a person, and more their persistent
identity and reputation. On the other side of the equation, though, in some
environments people might not feel safe expressing their opinions _at all_ if
those opinions could be traced back to them.

~~~
zAy0LfpBZLC8mAC
To add to that, one useful application for hidden services is to enable SSH
login on machines that are behind some impenetrable NATs/firewalls that you
can't open up for inbound connections. Have a machine behind mobile, NAT only
internet? Set up a tor hidden service and log in without any problems!

~~~
wybiral
I see this as a valid point. You don't need Tor for that, any local app could
proxy a connection that way. But, yes, it is a useful side effect of Tor.

~~~
zAy0LfpBZLC8mAC
First of all, actually, no, a "local app" can't do that. The problem is that
the machine doesn't have a globally reachable address, and that's not
something that you can solve by changing the software on the machine, you need
some external service that provides you with a globally reachable address and
a way to forward connection requests for that address to your machine. That is
a service that the Tor network provides.

Obviously, Tor is not the only solution to this problem, but it is one that
has the nice property that you don't need to register any accounts, you don't
need to pay for anything, the availability of the Tor network is pretty good
...

Also I am not so sure I would call it a side effect, for two reasons:

1\. Any application that grows the anonymity set of Tor is useful for the
goals of the Tor network. Even if your SSH session does not have any use for
the anonymity that Tor provides, it still is good for the Tor network that you
add cover traffic to the network for those who need it.

2\. Decentralization has a lot of overlap with anonymity, and as such I would
consider this use actually to be well within the use cases that Tor is
intended for: ISPs build networks that increaslingly make it difficult to use
your own devices for anything more than consuming content that is delivered
from the network, thus contributing to the growth of the kind of centralized
services that don't provide any anonymity at all. Using Tor to access your own
machines and thus enabling you to build infrastructure that is not inspected
by third parties is very much aligned with the goals of the Tor project.

~~~
wybiral
I care more about security and privacy than anonymity.

IPFS or Keybase seem like better approaches towards those goals. And, yes, Tor
makes sense if you need to hide your IP address. But beyond that I don't see
much further use.

~~~
zAy0LfpBZLC8mAC
I don't think many people care about anonymity as a primary value. Anonymity
is simply one tool to achieve privacy and security against certain types of
risks/attacks.

------
flyGuyOnTheSly
>Get in touch if you'd like to sponsor us to work on onion services to make
them faster, slower, or stabler.

That's a strange comment.

Why would they accept money to make the TOR system slower?

------
MBCook
Does it fix the LONG standing issue that Dr. Krawetz keeps discussing on his
blog that makes it trivial to DOS an onion site? Description in the section
about ‘Eddie’.

[https://www.hackerfactor.com/blog/index.php?/archives/762-At...](https://www.hackerfactor.com/blog/index.php?/archives/762-Attacked-
Over-Tor.html)

~~~
nikcub
He didn't discover an issue - he just FUD'd long enough until a few people
believed he did.

That he believes there is something "suspicious" about Tor nodes because their
IP doesn't match to any country or AS name in the free distribution of the
GeoIP database built into Tor is just smh bad

Why he also believes bots accessing his HS has anything to do with Tor Exit
nodes is also beyond me .. but he provides no evidence for any of that either

~~~
nikcub
To add: at the time that original story was posted I left this comment[0]
explaining what I believe he was seeing

He was asked to ping tor-security or file an issue and never did, afaik - nor
was it ever really seriously discussed

[0]
[https://news.ycombinator.com/item?id=14281434](https://news.ycombinator.com/item?id=14281434)

------
deepnotderp
How about a working implementation of the HORNET paper?

------
hannaysteve
The article is really interesting and valid.

------
tacotornado
Great story. I love the future.

