Hacker News new | comments | ask | show | jobs | submit login
The New York Times Is Now Available as a Tor Onion Service (nytimes.com)
878 points by alecmuffett on Oct 27, 2017 | hide | past | web | favorite | 192 comments

And they're using an Extended Validation certificate from DigiCert for it

    CN = nytimes3xbfgragh.onion
    OU = Technology
    O = The New York Times Company
    Object Identifier (2 5 4 15) = Private Organization
along with some other addresses

    DNS Name: nytimes3xbfgragh.onion
    DNS Name: graylady3jvrrxbe.onion
    DNS Name: *.graylady3jvrrxbe.onion
    DNS Name: *.dev.graylady3jvrrxbe.onion
    DNS Name: *.stg.graylady3jvrrxbe.onion
    DNS Name: *.nytimes3xbfgragh.onion
    DNS Name: *.api.nytimes3xbfgragh.onion
    DNS Name: *.api.dev.nytimes3xbfgragh.onion
    DNS Name: *.api.stg.nytimes3xbfgragh.onion
    DNS Name: *.blogs.nytimes3xbfgragh.onion
    DNS Name: *.blogs.stg.nytimes3xbfgragh.onion
    DNS Name: *.blogs5.stg.nytimes3xbfgragh.onion
    DNS Name: *.dev.nytimes3xbfgragh.onion
    DNS Name: *.dev.blogs.nytimes3xbfgragh.onion
    DNS Name: *.newsdev.nytimes3xbfgragh.onion
    DNS Name: *.prd.nytimes3xbfgragh.onion
    DNS Name: *.sbx.nytimes3xbfgragh.onion
    DNS Name: *.stg.nytimes3xbfgragh.onion
    DNS Name: *.stg.blogs.nytimes3xbfgragh.onion
    DNS Name: *.stg.newsdev.nytimes3xbfgragh.onion
    DNS Name: www.bestsellers.nytimes3xbfgragh.onion
    DNS Name: www.homedelivery.nytimes3xbfgragh.onion

Sometimes I wonder if it's a good idea to brute-force these kinds of "vanity" onion prefixes. Take a look at the addresses used in http://incoherency.co.uk/blog/stories/hidden-service-phishin... ; they brute-forced the same prefix with a different suffix. Would anyone really notice?

If they didn't use vanity names, then people would only remember the first/last few random characters and the phishing scheme could very well still work, just it'd be less readable for visitors. I don't think we can assume that if all the characters were random they would remember them all better.

I don't think people would remember them better if completely random. Rather, I think if they're completely random, people might correctly assume they can't, and remain appropriately skeptical; if they include a vanity prefix, people seem likely to remember the vanity prefix and somewhat less likely to pay attention to the rest.

If you're that easily phished, why are you using TOR at all?

You aren't being attentive enough for high risk activities. You lack proper verification channels, to confirm authenticity, which matters in this context. You lack the situational awareness to proceed safely.

Admit that you might not be cut out for what it takes to maintain a secure posture on the internet, if that's what gets you. Just stop pretending to try.

What we need is some way for the vast majority of the population who are not nearly as good at security as you are and never could be, to be able to access such sites securely.

The first step to that involves educating the media that the big scary dark web isn't just for drugs and other like minded Bitcoin slinging criminals.

Oh, I'd hazard a guess that the media is well-educated, and handily equipped with an agenda similar to advertisers and marketers employing dark patterns and pervasive analytics.

And I never claimed I was good at anything. But I did intend to point out that with advanced persistent threats in the mix, and nation state actors operating with effectively unlimited resources, failing to notice the difference between two vaguely similar nonces (in a situation where it matters) is going to get you hanged, depending on what you're trying to fly below radar.

Can you CNAME with onion domains? For example

onion.nytimes.com CNAME nytimes3xbfgragh.onion

Edit to clarify - more a technical pondering than a solution to anything

.onion addresses aren't resolved using the DNS system. So... no?

I guess in theory a browser _could_ support something like that, but it'd be pretty unusual. I also think the idea of relying on DNS to resolve a hidden service would defeat a lot of the privacy and security guarantees associated with those services, so I don't think any browser serious about security would implement something like that.

Would it make any sense to use something like tor.nytimes.com to redirect to their hidden service on the other hand? To allow people to be sure they're hitting the correct endpoint on Tor. If you're on TOR you typically have access to the rest of the internet, at least depending on setup.

Only if you're fine broadcasting in plaintext what tor site you're going to. The DNS lookup defeats the privacy of using an onion address.

Exit nodes could also manipulate DNS.

Nice one cheers. I have no idea how .onion domains work, never used them/Tor

> guess in theory a browser _could_ support something like that, but it'd be pretty unusual.

Websites redirect all the time, there's 3 HTTP status codes for it.

An HTTP redirect is a completely different thing from a CNAME record in the DNS.

If you visit https://onion.nytimes.com/ and it sends you a 301 redirect to https://nytimes3xbfgragh.onion/ then yes, I'm pretty sure that'd work fine. However, if you perform a DNS lookup on `onion.nytimes.com` and receive in response a CNAME record pointing to `nytimes3xbfgragh.onion`, I seriously doubt the browser is going to respond to that by establishing a new Tor circuit to the named hidden service. Rather, it's most likely just going to do what every other DNS client does when it receives a CNAME record; it'll try to look up `nytimes3xbfgragh.onion` in the DNS. (And fail, because `.onion` is not a valid TLD in the regular DNS system.)

It is a bit silly considering you can trivially brute onion addresses consisting entirely of words.

I just generated "omen coins car hoof.onion" right now, in a couple of seconds, with my laptop CPU. With a couple of GTX1080s you could easily find some much better .onions than the ones NYT chose.

But can you easily get addresses that start with "nytimes" and end in words? (I'm genuinely curious btw)

I'd be inclined to go for something bit shorter for this, perhaps just "times", but yeah.

Lets pretend we've got a $5000 budget.

Quick back-of-the-envelope math shows that a 8xGTX1080¹ box will be able to generate ~3 onion addresses beginning with "nytimes" every second, we can afford 6.25 months of this.

Instead of waiting a really long time, we'll rent multiple boxes and squeeze all that into one month. In that month our servers will find approximately 44055283.1 onion addresses beginning with "nytimes".

At least with the wordlist² I use, without a prefix I discover approximately one "good" onion per 8 million random onions. Considering we've got a 7 character prefix for our 44 million onion candidates, so I'd expect a significantly better rate than just 1/8000000

So yeah, in a month you'd probably find at least 5 "better" onion addresses.

¹ $800 a month https://selectel.com/solutions/gpu/ Shouldn't be a problem for NYT to get a few of these.

² which besides words contains some easily memorable fillers such as "aaa" "bbb" and so on

Interesting, thanks for the comprehensive answer! In this case it seems it would actually be a viable, and arguably more secure, alternative.

What does this mean in regular human terms?

Extended Validation certificate is when a company go to a CA and provide a bunch of business documents and legal proof that they really own the company behind a name. Its not a technical aspect but human lawyer <-> human lawyer that establish a certificate. At the end if the validation is successful, the company get a technical signed document that in browsers shows up as a green lock and the name in green next to the URL.

So in addition to knowing that your browser is connected to where you want, you now know that the website you want is actually who they say they are?

Of course you also need a browser and/or OS to establish the roots of the trust relations.

...and hope symantec/komodo/et al won't start selling those certs by the bucket.

> you now know that the website you want is actually who they say they are?

That's the idea. Of course, validation, while more thorough than for standard certs, still is not that reliable. My strong impression is that it could be fooled by anyone sufficiently motivated.

Not only that - in practice it's kind of meaningless, because if you were served a non-EV cert, you wouldn't notice. And there's usually other domains or subdomains that don't use the EV cert. It's mostly just a kind of token gesture by a business to claim they're more secure.

EV is part of a narrative. Which has some value, even if weak.


> "a bunch of business documents and legal proof"

In my case they just needed me to put an entry in the Yellow Pages...

Errata: sorry I went back and checked and I believe they also required some proof of incorporation. My apologies for the incorrect cynicism. :(

Is the proof of incorporation not presented on physical paper? Seems easy to fake.

Aren't all corporations listed in a public registry where it's easy to verify?

Don't forget to restart your ypserver!

Also, never put this line in /etc/netgroup then rwall to it:

universal (,,)


That was a fun read. Thanks for the link.

On a somewhat related topic, I worry a lot about things on the internet disappearing, most often simply due to neglect (domain expiry, companies being bought, et c.) I try to save everything I can that I find interesting, in fear of it never being available again.

That said, it makes me very happy to see emails from 1987 archived online--so happy that I've even saved a copy.

There's some more stuff about it on Jordan's wikipedia page. https://en.wikipedia.org/wiki/Jordan_Hubbard#rwall_incident

And Risks Digest: http://catless.ncl.ac.uk/Risks/4.73.html#subj10.1

I was one of the 743 people who received his rwall and immediately send him a message (which I've since lost) flaming about the evils of Sun RPC (and promising a longer flame). I saved his reply and some old email about it from the hackers_guild and tcp-ip mailing lists.

IIRC, the flame probably would have touched on the fact that among Sun RPC services, rcp.rwalld was hardly the worst offender: Sun's NFS rpc.mountd demon trusted the client's word on what its hostname is (it was passed from client to server as a parameter to the mount RPC call -- the server didn't check the ip address!), in order to authenticate the client's permission to mount a directory!

That's right, you actually could mount any NFS directory by going "hostname <hostname known to be in server's /etc/exports> ; mount server:/directory /mnt ; hostname <previous host name>". And you could usually use the equivalent of "tftp server:/etc/exports /tmp/server_exports" to discover a trusted hostname to use, because Suns were set up like that by default, out of the box!

Date: Tue, 31 Mar 87 12:02:53 PST From: jkh%violet.Berkeley.EDU@berkeley.edu (Jordan K. Hubbard) To: don@tumtum.cs.umd.edu Subject: re: flame flame flame

Thanks, you were nicer than most.. Here's the stock letter I've been sending back to people:

Thank you, thank you..

Now if I can only figure out why a lowly machine in a basement somewhere can send broadcast messages to the entire world. Doesn't seem right somehow.

Yours for an annoying network.


P.S. I was actually experimenting to see exactly now bad a crock RPC was. I'm beginning to get an idea. I look forward to your flame.



Jordan's rwall scribbled all over Dennis Perry's Interleaf windows (who Jordan incorrectly referred to as the Inspector General of the ARPAnet in the Pentagon, and who was "absolutely livid" and threatened to cut off UCB's ARPANET access). Things were pretty wide open back then, and Jordan's "little incident" really stirred up a hornet's nest!

There were some interesting followups from heavy duty dudes like Milo Medin and Dennis Perry on the h_g/tcp-ip mailing lists:

From: Milo S. Medin <medin@orion.arpa>

Actually, Dennis Perry is the head of DARPA/IPTO, not a pencil pusher in the IG's office. IPTO is the part of DARPA that deals with all CS issues (including funding for ARPANET, BSD, MACH, SDINET, etc...). Calling him part of the IG's office on the TCP/IP list probably didn't win you any favors. Coincidentally I was at a meeting at the Pentagon last Thursday that Dennis was at, along with Mike Corrigan (the man at DoD/OSD responsible for all of DDN), and a couple other such types discussing Internet management issues, when your little incident came up. Dennis was absolutely livid, and I recall him saying something about shutting off UCB's PSN ports if this happened again. There were also reports about the DCA management types really putting on the heat about turning on Mailbridge filtering now and not after the buttergates are deployed. I don't know if Mike St. Johns and company can hold them off much longer. Sigh... Mike Corrigan mentioned that this was the sort of thing that gets networks shut off. You really pissed off the wrong people with this move!

Dennis also called up some VP at SUN and demanded this hole be patched in the next release. People generally pay attention to such people.

From: Jordan K. Hubbard <jkh@violet.berkeley.edu>

Well, I hope Sun patches the holes, Milo. I'm sorry that certain people chose to react as strongly as they did in our esteemed government offices, but I am glad that it raised enough fuss to possibly get the problem fixed. No data was destroyed, lost, or infiltrated, but some people got a whack on the side of the head for leaving the back door open. I'm not sure I can say that I'm all that sorry that this happened. rwall is certainly going to change on my machines, I can only hope that people concerned about being rwall'd over the net will tighten up their RPC. Those that don't care, should at least be aware of it.

From: Dennis G. Perry <PERRY@vax.darpa.mil>

Jordan, you are right in your assumptions that people will get annoyed that what happened was allowed to happen.

By the way, I am the program manager of the Arpanet in the Information Science and Technology Office of DARPA, located in Roslin (Arlington), not the Pentagon.

I would like suggestions as to what you, or anyone else, think should be done to prevent such occurances in the furture. There are many drastic choices one could make. Is there a reasonable one? Perhaps some one from Sun could volunteer what there action will be in light of this revelation. I certainly hope that the community can come up with a good solution, because I know that when the problem gets solved from the top the solutions will reflect their concerns.

Think about this situation and I think you will all agree that this is a serious problem that could cripple the Arpanet and anyother net that lets things like this happen without control.

dennis ———

From: Jordan K. Hubbard <jkh@violet.berkeley.edu>


Sorry about the mixup on your location and position within DARPA. I got the news of your call to Richard Olson second hand, and I guess details got muddled along the way. I think the best solution to this problem (and other problems of this nature) is to tighten up the receiving ends. Assuming that the network is basically hostile seems safer than assuming that it's benign when deciding which services to offer.

I don't know what Sun has in mind for Secure RPC, or whether they will move the release date for 4.0 (which presumably incorporates these features) closer, but I will be changing rwalld here at Berkeley to use a new YP database containing a list of "trusted" hosts. If it's possible to change RPC itself, without massive performance degradation, I may do that as well.

My primary concern is that people understand where and why unix/network security holes exist. I've gotten a few messages from people saying that they would consider it a bug if rwall didn't perform in this manner, and that hampering their ability to communicate with the rest of the network would be against the spirit of all it stands for. There is, of course, the opposite camp which feels that IMP's should only forward packets from hosts registered with the NIC. I think that either point of view has its pros and cons, but that it should be up to the users to make a choice. If they wish to expose themselves to potential annoyance in exchange for being able to, uh, communicate more freely, then so be it. If the opposite is true, then they can take appropriate action. At least an informed choice will have been made.

Yours for a secure, but usable, network.

From: Dennis G. Perry <PERRY@vax.darpa.mil>

Jordan, thanks for the note. I agree that we should discover and FIX holes found in the system. But at the same time, we don't want to have to shut the thing down until such a fix can be made. Misuse of the system get us all in a lot of trouble. The Arpanet has succeeded because of the self policing community. If this type of potential for disruption gets used by very many people, I guarentee that we all will not like the solution or fix proposed.

dennis ———

Which CA?

Why do we think a lawyer would be less likely to be duped? If they are relying on physical paper and pen signatures...aren't those all incredibly easy to fake?

> If they are relying on physical paper and pen signatures...aren't those all incredibly easy to fake?

Lawyers are good at verifying identities. It's a core part of their work. More critically, in-person fraud scales differently from electronic fraud.

You get a green bar to know you're connecting to the NYT and the cert is issued for many additional addresses showing large coverage of their services and hinting at future use.

EV certs provide more than just encryption that a DV (domain validation) cert provides. DV just checks to make sure the domain is under control of whoever is asking for the cert.

EV ensures that the entity (person, corp, org, whatever) is in fact in control of the domain and is who they say they are.

Worth noting that a lot of the arguments in this article change when you're talking about Onion services.

Notably, Onion services tend to have URLs that are _very_ difficult for humans to remember (they're essentially just gibberish), and they're anonymous by default, meaning without an EV cert there's no easy way to check whether the service you're visiting is legitimate or not.

DV certs are also pretty useless for Onion services, since your connection is already encrypted and authenticated by Tor.

EV is mandatory for .onion HTTPS certificates - since onion hashes (the 'domain name') are even less meaningful as a form of identity than regular domains.

There's a couple of other differences with .onion certs too: https://certsimple.com/help/tor-support

This is incorrect. Onion domain addresses already provide the same level of confidence as a DV certificate, because they are a public key of the server you are connecting to. There would be no additional value in issuing a DV certificate for an .onion domain.

Yes, but how do you know that you are actually connected to nytimes3xpfgragh.onion each time? DV lets you know that the onion site you connected to is the NYTimes, and not a privacy-attacking MITM site.

Did you notice that I changed the nytimes URL a tiny bit up there? nytimes3xbfgragh.onion is the real one. (Yes, there's no guarantee that someone else would be able to generate a specific alternate address, but one that also starts with nytimes is probably possible for a well-resourced attacker.)

DV lets you know that you're connecting to the domain that you're connecting to. You already know that with all onion addresses.

EV lets you assure that you are connected to the New York Times.

I believe the original post meant "meaningful as form of identity" to human brains, not technical identity.

I'm trying to understand onion/tor better, what about Onion addresses specifically make them I guess invulnerable to man in the middle attacks?

The public key is encoded in the onion address, so the client can verify the server you connect to has the matching private key. This is part of the tor protocol, so happens always when talking to onion services.

Onion domains are a form of content addressing based on public key pairs. Normally onion domains aren't that readable as the nytimes one and look more like a bunch of random letters. (All nytimes did was generate many million key pairs until they found one that looked cool.)

If you fetch web pages from http://abc123.onion you bascially tell tor "connect me to whoever holds the certificate with fingerprint abc123". Any domain validated certificates on top of that is superfluous since you already know which certificate you are talking to. What you don't know is who holds it. This is where organizationally validated certificates can help.

I believe you've misread my post. A domain name is a poor form of identity in many cases, a hash is even less recognisable to most people.

Any idea why it was revoked?

This may not be the whole solution but it is a step in the right direction. Kudos to NYT for attention to this subset of readers.

It is. Overlay networks has a very expensive overhead, but it is one of the few ways that networks can be updated to modern views on security threats and privacy without getting ISP to change their hardware and software. I am in particular hopeful that we might see a future where tor will simply be a available tool in the general network stack, enabling private end-to-end without exist nodes.

> Overlay networks has a very expensive overhead

Single onion services are a thing now for quiet some time actually: https://web.archive.org/web/20161219230314/https://blog.torp... (had to use archive.org since images are broken on their blog currently)

Why is this a step in the right direction? Having a .onion service provides essentially zero benefit without a hidden backend.

People wanting to access NYT site via Tor, can just navigate to https://www.nytimes.com/ and it'll be significantly faster than the .onion equivalent.

> People wanting to access NYT site via Tor, can just navigate to https://www.nytimes.com/ and it'll be significantly faster than the .onion equivalent.

This isn't true, exits are currently in short supply. And onion services don't use exits, so it will result in a faster speed, especially since they may have made it as a single onion service[1].

[1] : https://web.archive.org/web/20161219230314/https://blog.torp...

This is a great thing. Tor wants to encourage people to use tor as a normal browser so it's harder to track individuals using tor.

Handy graph for anyone curious about the benefits of Tor [0]

[0]: https://www.eff.org/pages/tor-and-https

Does the onion service still serve the same advertisements their website and mobile app do?

If so, they're leaving their users-who-want-to-stay-relatively-anonymous open to attack via the advertisement vector. Members of that group would be considered high-value targets simply due to their anonymity desires.

I can't see the number of daily users being large enough that they'd lose significant profit by closing that attack vector. Hell, if there was a way to pay NYT enough to disable ads on all their services, I'd do it.

Tor Browser isolates cookies and other browser state into buckets based on URL bar domains.

... i.e. first party isolation, one can read more about it on the Tor Browser design document: https://www.torproject.org/projects/torbrowser/design/

How can I get first party isolation in regular chrome or firefox? That is exactly what I've been imagining/wanting since Firefox announced their new container prototype.

Thankfully Mozilla works with the Tor Project so that Tor Browser patches to Firefox get uplifted to mainline Firefox, you can read more about those efforts here: https://wiki.mozilla.org/Security/Tor_Uplift And the Tor Uplift tracker: https://torpat.ch/uplift

In this case the relevant preference is privacy.firstparty.isolate = true. Another worth pointing out pref is privacy.resistFingerprinting = true.

Thank you. I am excited for all the ways this is going to break the web for me, but this is exactly what I wanted. Maybe someday this will be on by default for everyone. Can you imagine?

In firefox: about:config -> privacy.firstparty.isolate = true

Note that containers provide similar functionality but in a less rigid manner. On the other hand first party isolation has the advantage that it also applies on navigation within a single tab while containers are fixed within a single tab. Currently neither is a superset of the other. If bug 1323873 [0] gets implemented then containers + some scripting by extensions could act as a superset of first party isolation.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1323873

I am curious about this as well. Tor is anonymous insofar as individual entrances and exits cannot be monitored. The advertising and other tracking pixels that would riddle something like the NYT site makes me think this is how some uncareful kingpin will fall, checking the op-eds.

Can't the nodes be compromised? I've eschewed using it as USG is purported to have taken over entrance and exit nodes using a combination of threats and bribery.

In order to fully compromise your privacy, the government would need to have control of _all nodes_ in your path, not just the entrance and exit nodes. (They _might_ be able to deanonymize some users by using traffic correlation using only entrance and exit nodes, but that is by no means a straightforward process.)

Tor also gives you a way to choose a specific exit node based on the country it is in, but I have no idea how reliable that is.

It is worth noting that with hidden services no exit nodes are required, since your traffic's final destination is running its own Tor-compatible node.

as Ajedi32 states, even knowing entrances and exits, it is SUPRHARD to figure out all the associations, but it has been done in the past for high profile sites. It is also not possible for them to monitor every entrance and exit, and it is akin to watching the entrances to a mall where everyone is dressed exactly the same, trying to identify who shops where. With one-off data, really hard. With regular or periodic data, the mystery is a lot easier to unravel.

I dunno, it is done in China to monitor everything. http://www.mirror.co.uk/news/world-news/china-installs-20-mi...

Why not try it and let us know instead of simply making guesses?

I was asking because I'm currently nowhere near a system that I'd trust for this purpose. I'll be near one later and, if you're interested, I'll update the question with my findings.

There exists a system that you wouldn't trust to provide a good-enough answer to the question "Does the onion service still serve the same advertisements their website and mobile app do?" ?

What do you think an untrustworthy system is doing that would make it give a not-good-enough answer?

That's a clever question and the answer has a few parts, mostly due to the slipperiness of "trust" as a concept: I wasn't specific enough in my description of my own threat model (which makes sense, as my aim wasn't to explain the threat model but to cultivate answers from other folks). In short, I currently only have access to systems that are too costly to replace, if the site is under active attack. That's not to say that HN's comment section isn't also a risk, but it seems less of one.

I considered these actors before deciding to ask the question instead of immediately connecting directly: available computer systems, internet pipes, the NYT website, and the bevy of third party ad-services hosted through the website.

Hey, Tom. I'll be right over with my laptop that I don't care about. You still on Green St.?

Nope, I got promoted to Wall St., 5th floor! Just leave it unattended in the Blue Room, by the donuts, and I'll pick it up in a few.

Is this conversation real? I don't know what's real anymore!

%6EY YcfI Yu0` *lAS B4k< GonA 9ZZ+ 02(#

I'm reading this from a bank workstation. Let me install Tor and see how long I can test NYTimes readability before I'm escorted out the door.

If you're using Tor surely you should be disabling third-party and non-onion assets and JavaScript?

Not all entry points do the most paranoid thing, and not options are even available on all entry points.

The Tor Browser Bundle (desktop) has different defaults than Orfox (phone), and I think both will connect to non-onion URLs when connecting to an onion site. Same for JS, ad-block, etc.

As of last weekend, NYT-over-onion serves ads like their other entry points do.

curl -H ""

There are zero good web browsers with socks5 support. (which is needed for tor)

Mozilla is also currently matching all Tor donations: https://donate.torproject.org/pdr

Consider donating!

Will this help people in China at all? From an article I ready a while back it seemed like Tor has been defeated there. (https://www.technologyreview.com/s/427413/how-china-blocks-t...)

That article is from 2012. It's a constant battle, which has changed a LOT in 5 years.



Well there's meek-amazon[1] which seems to work there. Also I remember I talked last months to some guy on irc at #tor who was using some obfs4 bridges successfully in China. There's also another pluggable transport named Snowflake[2] where everyone can become a bridge by just running some JS in their browser, which may prove to be a good solution (it doesn't work yet in China since it uses Google for domain fronting).

[1] : https://trac.torproject.org/projects/tor/wiki/doc/meek

[2] : https://trac.torproject.org/projects/tor/wiki/doc/Snowflake

What's the point of making it available in the Tor network if their onion site includes a script from www.googletagmanager.com (or an "iframe" if scripting is disabled) thus making it significantly less anonymous?

Onion websites should be isolated and should not initiate any connections to vanilla internet.

Edit: it also loads scripts from www.google.com, tags.bluekai.com, cdn.optimizely.com...

Hmm don't you have to pay to access the full newspaper? How does that mix with Tor anonymity?

Haven't tested to see how they are doing, but that's kinda orthogonal to using tor. Standard cryptography like https uses is meant so any eavesdroppers don't know WHAT you are talking about. But they still know that Alice is talking with Bob. Onion routing, that tor uses, is meant to so eavesdroppers also don't know who is talking to whom. But that's on the eavesdroppers part. If Alice and Bob are talking completely privately, it's completely fine if they are exchanging all the information they want between themselves. The big idea is that attackers don't know what you are doing.

Tor can also hide where Bob's servers are, but not sure if the New York Times would need that bit.

Ah right - i was thinking of hiding from the US government, which can get the identity of subscribers directly from NYT.

I forgot there are other governments too... shame, I'm not even from the US.

The two things are not directly dependent: for instance, Facebook allows you to connect to your account through Tor. You still have a separate individual authentication (email & password, 2FA) once the connection is established. I believe I have a paying NYT account so I might try if you are interested.

It’s possible that Tor makes it harder to enforce the rule that you can’t read more than X articles per month (which I believe is enforced using cookies and your IP address) but at this early stage, I’m not sure that’s key: people who know how to use Tor generally can easily go around that limitation on https.

If too many people use that loophole to read without a subscription, that means NYTimes would have been instrumental in making Tor mainstream. That would be a major achievement in itself. Enforcing similar consumption limits through Tor would probably be rather experimental, but sounds hardly difficult (especially with the goodwill NYTimes would have most likely gained from Tor developers & supporters).

> It’s possible that Tor makes it harder to enforce the rule that you can’t read more than X articles per month (which I believe is enforced using cookies and your IP address) but at this early stage, I’m not sure that’s key: people who know how to use Tor generally can easily go around that limitation on https.

Their current X (which I think is 10) articles per month limit is enforced via cookies. If you're like me and have your browser set to automatically clear all cookies and persistent state on close, you never even notice it exists.

I disable javascript.

There you login like normal. Tor can be used to hide from the website owners, and from the network owners between you and the website. If you don't mind that the website knows who you are, you login and identify yourself to them, without letting the network know what you do.

They show the countdown of remaining articles but they have virtually no way of identifying your browser over Tor so all you need is clear cookies and continue to browse anonymously.

I'm pretty sure you can clear your cookies on a normal browser and reset the number of remaining articles for the month.

The paywall exists on the NYT's onion site as well. But a certain number of articles -- I think 10 -- are free to read each month.

That would still contradict anonymity though. They can't track users by IP address or cookies (if Tor browser is used... it is transient for the session) and having people register means they are likely have to come out of anonymity. If they do manage to register one from anonymous throwaway address, then it essentially make paywall moot...

I don't see the point.

A hidden service is set for information can not be safely presented on the public Internet. Like what The Daily Stormer did.

If one just wanted to bypass blocking or hide himself from evil third parties, he could just use tor browser to open NYT's regular domain instead of the hidden service domain, no?

Onion services are faster on Tor, since you aren't limited by the bandwidth of the exit nodes.

There are also some security benefits, since connections to hidden services are automatically encrypted and authenticated, no HTTPS or trust in Certificate Authorities required (though HTTPS with EV certs can still be useful for identification purposes).

You don't own a traditional domain. You are given temporary permission to use it. A tor onion address is something you can actually own.

The url is a bit hard to remember. https://www.nytimes3xbfgragh.onion/ Is there a directory of .onion sites? (with an easy .onion url)

There are no “easy” onion URLs. They are essentially random (hash of a key iirc). It’s possible to generate random URLs until you get a prefix you like, but the time it takes increases exponentially with length of the desired prefix.

I wonder why namecoin addresses are not a part of the tor yet. Onion urls should be treated more like IPs.

It's in their works, see their proposal 279: https://gitweb.torproject.org/torspec.git/tree/proposals/279...

As well as this blog post: https://blog.torproject.org/cooking-onions-names-your-onions

See also this ticket for following the progress: https://trac.torproject.org/projects/tor/ticket/10747

I guess there could be a regular website that links to a .onion directory

I recall that Facebook brute forced their way into having an onion url that was easy to remember, by generating millions of them and then picking one that was simple.

That's clearly what the New York Times did as well (though probably with far less compute time than Facebook). nytimes3xbfgragh.onion is the easy to remember name they were able to generate.

Just say it out loud: En Why Times Three Ecks Bee Eff Gra{gargle}

Easy to remember.

Its something like facebookcorewwwi.onion - that must have taken a lot of cycles to generate..

IIRC they got the "corewwwi" part instead of complete nonsense purely out of luck, when searching for just "facebook*"

It was over 100,000,000 CPU-hours https://news.ycombinator.com/item?id=11550922 And they still got extremely lucky to find such a good address. https://news.ycombinator.com/item?id=8538390 It's not usually that easy.

I found blockchainbdgpzk in just under 3 days. It was the sixth blockchain* address I found.

I ran 3x 4 GPU cloud instances on AWS on the old Teslas - which aren't very fast at SHA. IIRC it was doing 15GH/s total

Today you can get ~7GH/s on an Nvidia 1080 so you should be able to find an all-alpha 10 char onion in about a week.

The new cards and some of the password cracking rigs (i'm building a new one now) are able to do SHA1 so quickly that they're a real threat to generating phishing addresses for onions - which is why the DigiCert certificates are required

Does anyone know why they posted this story through Medium?

TimesOpen is an engineer-driven blog. Its previous incarnation was self-hosted on a WordPress stack (separate from our main CMS), but for various reasons it was decided to re-platform.

There were many discussions before settling on Medium and alternatives were considered (such as dogfooding our own CMS). We have a lot of work in-flight to modernize and simplify our publishing stack, and the timing wasn't right to rely on internal tools to publish a new blog.

How widely is WordPress being used at NYT today? Seems like it was used a lot about five years ago but don’t see it much anymore.

Could you thank the folks involved in this? The TOS is great news.

Because their own site is paywalled.

Tried to show my support by subscribing over Tor, unf:

    This action is not supported over Onion yet, sorry.
Which kind of makes sense, since you were probably about to ask my CC info, but still...

Is there a search engine or other convenient discovery mechanism for Onion services?

I know DuckDuckGo has their own hidden service, but it seems that site only returns results from the regular internet, not from other hidden services.

> hidden services

I think you responded to your own question.

Besides that there are lists of onion services. Apparently there are also search services like https://ahmia.fi/

It's the real IP address of the service that's hidden, not necessarily its Onion address. In theory, there's no reason `.onion` links couldn't be crawled and indexed by search engines the same way any other website is.

Although there's a risk to using onion directories, since you have to trust that the hash they give you for the New York Times for example, is actually the real hash. It's easier to spoof onion hashes than domain names since domain names are more well known. You'd hopefully catch that you're connecting to nytim3s.com, not so much nytimes3xbfgra3h.onion.

EV certs can help with this to some extent. For example, the New York Times is using an EV cert with the organization name "The New York Times Company" for their hidden service. So as long as you trust the CA system, you can be certain that you're talking to a server operated by The New York Times, and not just a copycat.

Yes, but EV isn't that common on Tor. How would I distinguish Dread Pirate Roberts' Silk Road from FBI's Silk Road in a Tor online directory?

Well, obviously EV is less useful [0] for services where the host’s anonymity is a key part of the reason the server is on Tor.

But for services on Tor that are fine with being identified but who wish there users to be opaque to third parties it seems to have some value.

[0] without a radically different CA infrastructure which has no chance of getting preloaded into browsers.

There was abiko, but it seems to be down right now:


Err... does the tor site still have the 10 views a month for free limit? Are tor users supposed to subscribe to NYT - that will surely blow through any privacy you hope to achieve.


I don't know about other browsers, but with Cliqz if I turn it off after 10 articles and turn it on, the NYT starts counting from 0 again.

I'm seeing a different page at the Tor address than at the regular address. The layout is different:



What would be the advantage here?

From the /r/tor thread System33 posted a comment[0] originally by Alec Muffet explaining why Facebook set up a TOR service, which may answer some of your questions:

Why would anyone run a legal onion service?

Thanks Alec Muffett (OP) for the following summary copied from this comment

Understandably folk tend to think "Anonymity!" when talking about Tor Onions, but in rolling out the Facebook onion we established several clear benefits:

1. better and safer experience for people accessing over Tor: no interference by exit nodes, no bandwidth-contention for exit nodes, no use of exit nodes at all.

2. "good neighbour" - reciprocally, popular sites can unload themselves from eating up scarce exit-node bandwidth.

3. "a peace offering" - people (continue to) use Facebook over Tor; 3 years ago we saw 500,000/month, more recently ~1 million. Overwhelmingly we found (through measurement and assessment) that people using Facebook over Tor were ordinary folk wanting to do ordinary things. especially in times of political crisis. Providing a metaphorical "olive branch" showed that we value their use of the site.

4. Discretion & Trust. Onion Sites are considered to be about "Anonymity", but really they offer two more features: Discretion (eg: your employer or ISP cannot see what you are browsing, not even what site) and trust (if you access facebookcorewwwi.onion you are definitely connected to Facebook, because of the nature of Onion addressing; no DNS or CA shenanigans are applicable.)

[0]: https://www.reddit.com/r/TOR/comments/792mfr/the_new_york_ti...

Is this mainly intended for people from non-western countries who need a channel for free speech? Because apart from that I see no point in FB offering an onion service. If anonymity, discretion and trust are what I am looking for than surely FB itself is one of the least appropriate platforms for me.

>The New York Times reports on stories all over the world, and our reporting is read by people around the world. Some readers choose to use Tor to access our journalism because they’re technically blocked from accessing our website; or because they worry about local network monitoring; or because they care about online privacy; or simply because that is the method that they prefer.

Yes, but NYT doesn't need an .onion service for people to access it over Tor. Half the point of Tor is that it works with normal sites too.

Allowing readers to choose which security and privacy advantages they want. If I want privacy and security, I'll choose the onion service. If I want security only, I'll take the HTTPS road only.

For a publication that openly supported the Iraq war and all the suffering that entailed for innocent civilians, its kinda funny that they're suddenly all concerned about people's rights.

The NYT is so pro-establishment it is probably the last site on Earth that would have its domain taken away from them.

The Times has been blocked repeatedly, maybe even semi-permanently, in China. It gets blocked in other countries too, IIRC.

In the U.S., the Times published Chelsea Manning's leaked State Dept documents, it broke the story on Hilary Clinton's email sever, it reported the Wikileaks' DNC emails for months up to the US presidential election, and now it aggressively goes after Trump. While it's imperfect, I don't see which part of the establishment it so strongly supports.

>While it's imperfect, I don't see which part of the establishment it so strongly supports.

The State Department. NYT is vital in fabricating the history of conflicts and internal problems that have ever affected the United States.

to name a few : Syria, Iraq, Afghanistan, the War on Drugs, the Indochina wars, Cuba, Mexico, outside-of-country extradition, continual abuse and outright breaking of UN laws and sanctions, etc.

That's not even mentioning their (the NYT) history of character assassination with regards to civil rights leaders, activists, authors, speakers, and alternative thinkers.

...OR you get the Chomsky treatment, and they pretend that you don't exist for a few decades.

I didn't bother with citations, there are plenty to read through with just a cursory search engine query, but since I already invoked the name of the beast, i'll let him tell you about NYT[0].

NYT's is systematically biased in who or what it chooses to illuminate for the public to digest. Don't be surprised when they do good by you -- it's all character building -- just like this news that they're embracing tor.

Boy, aren't they just keen!

[0]Noam Chomsky: The New York Times is pure propaganda: https://www.salon.com/2015/05/25/noam_chomsky_the_new_york_t...

> The Times has been blocked repeatedly

.onion is not for sites being blocked in China, you can just use tor and access the nytimes.com web site from there. .onion is for websites that get their domain confiscated by their domain providers or the feds, very unlikely to happen to the NYT. See what happened to sites such as the pirate bay or more recently the neo-nazi site dailystormer https://en.wikipedia.org/wiki/The_Daily_Stormer#Site_hosting...

Trump would disagree.

I don't think he would disagree they are pro-establishment. He'd love them to be taken down though there is no way he could make this happen.

I think it's more that he'd prefer that the media didn't cite "unverified" dossiers that they sourced from Buzzfeed [0], which were produced by a source with ties to the DNC [1][2].

[0]: https://www.nytimes.com/2017/01/23/opinion/why-buzzfeed-news...

[1]: https://www.nytimes.com/2017/01/11/us/politics/donald-trump-...

[2]: http://www.washingtontimes.com/news/2017/oct/24/dnc-clinton-...

LOL. A link to the Washington Times! Good job.

A significant portion of the dossier has been corroborated so far.

The GOP funded it originally.

The FBI funded it after.

In either case, the NYT loves Trump. Their "feud" is for show only. Trump is the establishment.

Got literally any sources?

This is pretty defineably public record:


notably: it's not the GOP the organization that initial funded the oppo, but a private news org with conservative leanings. and the FBI did not fund the dossier, but were provided it during its creation. (side note: who cares)

When it comes to corroboration: I would think the special investigation is good enough evidence that the claims of Russian cooperation are being taken seriously, no? Significant is a weasel word but there is actual smoke here.

>I would think the special investigation is good enough evidence that the claims of Russian cooperation are being taken seriously, no?

How would you tell the claims being taken seriously from the investigators trying to use the legal system to get dirt on Donald Trump?

At this point, the investigation has been ongoing for around 10 months, and currently they've only found anything on Paul Manafort, who was Trump's campaign manager for a few months.

The charges against Manafort are essentially failing to disclose lobbying for foreign agents, tax evasion, and money laundering [0]. The lobbying was done while Manafort was working for the Podesta Group, which was founded by Hillary Clinton's campaign manager [1].

On a side note, I find it interesting how Wikipedia doesn't have any information on Manafort's involvement with the Podesta Group.

[0]: https://www.justice.gov/sco

[1]: https://www.politico.com/story/2016/08/podesta-group-paul-ma...

> I'd agree here. There's no reason to discuss politics on HN when there are numerous other places to do so. HN is a forum about technology and the startup world, let's keep it about that.

Not quite. HN is a forum about anything that gratifies intellectual curiosity: https://news.ycombinator.com/newsguidelines.html.

The reason most political stories aren't a good fit here isn't that they aren't about tech or startups (both tech and startups overlap with politics quite a bit). It's because they inevitably lead to battles that destroy what HN is for. We can't be both, the same way a park can't be a war zone.

Not a huge fan of the NYT but this is pretty cool!

Careful, you'll cut yourself on that edge!


Can someone explain... why?

From the article:

> "Some readers choose to use Tor to access our journalism because they’re technically blocked from accessing our website; or because they worry about local network monitoring; or because they care about online privacy; or simply because that is the method that they prefer."

That's still a bit of a non answer. More to the point: Why does a mainstream news outlet care about this small group of people?

What's your working definition of "mainstream news outlet"? I can't think of a reasonable one that precludes them from broadening their reach. And given their size, they are more likely to have the resources to do so.

Also, there are large populations where network monitoring and/or content restrictions are part of everyday life. The New York Times experienced this directly with respect to their iOS app in China.


Edit to add: To turn it around, why shouldn't the NYT do this? That isn't snark: I'm interested in hearing substantial reasons for the skepticism implicit in 'pbarnes_1 original question. Granted, I haven't read all of the comments for this submission, I haven't seen any that convincingly argue this isn't a useful thing.

> What's your working definition of "mainstream news outlet"?

A news outlet with a "one size fits most" attitude. That is, they offer a product which caters to people who could be described as "average". Typically companies focus their energy only on (potential) customers, not those who aren't a good fit for the product in the first place. There probably are more profit-promising people out there for the NYT than those who are somewhat crypto-nerds. They don't like clicking ads, some may even feel uneasy using typical payment methods to buy a subscription.

> Also there are large populations where network monitoring and/or content restrictions are part of everyday life.

yeah, that's reasonable.

is it still paywalled on the onion service?

Comical attempt to give Street cred to the NYT.

Comical how? Check out their tech blog[0]. I'd venture a guess that they are the most technically adventurous news site, if not one of the more open corporations around in regards to trying new technology and writing about the experience. A lot of what they have to say is pretty interesting.

[0] - https://open.nytimes.com/

I agree. NYTimes has led with technical prowess the past a few years.

Ah, so disagreement with an administration is what will make everyone eventually to TOR

Nothing to hide except when the wrong guy gets in power then you feel naked

Do you _really_ think the NYT does this out of some specific fear?

And if yes, does their adoption of https in 2014[0]\ then imply that they were equally suspicious of the previous administration?

[0]: https://open.blogs.nytimes.com/2014/11/13/embracing-https/

Not the NYT itself, no

More likely for users in China etc.

So is it now "guaranteed", that TOR is secure? And how many "guarantees" does one need in order to be "guaranteed" security whilst browsing?

[...]and they provide additional guarantees that readers are connected securely to our website.[...]

Are you just nitpicking the difference between the phrase "provide additional guarantees" and the verb "guarantee"? Why?

> So is it now "guaranteed", that TOR is secure?

Your quote does not imply that

Disable Javascript. Enabling it makes you traceable. Run a Temporary profile in Firefox - otherwise cached images will make you traceable. Connect from your neighbors wifi (the further from your home the better, really) with a spoofed MAC address running from a write-locked USB live distro - this ensures you're protected from the unknown unknowns.

Or just use the Tor Browser - ideally with the High security setting. Other browsers don't have the same anti fingerprinting and first party isolation defenses.

Then again, with JS disabled your browser fingerprint gets a lot more specific unless your UA is a scrawler bot.

> Run a Temporary profile in Firefox

What're the equivalent or similar features in other browsers (e.g. Chrome)? Incognito mode?

Tor crypto guarantees an E2E connection to an entity possessing a key which matches the onion address which you sought to access. That's a benefit over DNS/TCP/BGP :-)

Using Tor is more secure than not using Tor, no matter how much FUD people try to spread about it.

Its not secure. "Everyone" knows that. Everytime a drug market is taken down or a pedophile ring is busted, the investigators from FBI always claim it was some dubious mistake from the admin whic lead to it. But we all know they have discovered a vulnurability in the TOR protocol but won't disclose it.

Safe browsing guys

//edit: if you want extra security. Launch TOR from a remote desktop. And I am not talking about the ones you buy from known VPN providers like NordicVPN or amazon web services.

I guess I'm not everyone. I'd bet that the majority of the 'busts' are due to:

a) Infiltrating chats where people are more likely to share sensitive information / trust the people they're talking to

b) Poor configurations/ setups on either the client or server (client browser bundle has noscript, but it's not on the strictest settings, js is enabled iirc)

c) Exploitation of client or server due to out of date versions, things like that

Historically I think it's always fallen into one of these cases - and not just what the FBI etc say publicly but we've seen these exploits ITW. I wouldn't be surprised if the NSA and other agencies have the power to deanonymize TOR users but if it were trivial why is the majority of TOR traffic still going towards illegal content? Last I read (a paper a year ago) TOR is still primarily all about drugs, followed by child pornography (mostly drugs though iirc). If they can track all of these people by breaking TOR completely... why don't they?

^ This.

Remember, Silk Road was finally found and taken down because Ross Ulbrich messed up his OpSec on a Stack Overflow question.

Thats really interesting, does anyone have a link to an explanation about this?

Wow. That was 4 years ago?

Here’s a Reddit discussion: https://www.reddit.com/r/webdev/comments/1nln17/the_stackove...

Basically, he posted to stack Overflow using his own name and email address with code that was Silk Road was using. He quickly changed his username, but it was too late.

> But we all know they have discovered a vulnurability in the TOR protocol but won't disclose it.

Can you provide evidence for this claim? I'm a huge conspiracy nut, this has me excited.

You don't need anything that isn't already publicly available: see every security bug reported on the mailing list, and reliable hop tracing via coordinated parties recording traffic (Tor's version of Bitcoin's 51% problem).

That said, it's still the most reliable limited-anonymity provider I know of.

> //edit: if you want extra security. Launch TOR from a remote desktop. And I am not talking about the ones you buy from known VPN providers like NordicVPN or amazon web services.

No, if you want extra security use Qubes OS with Whonix (it comes with it by default) for isolating the Tor process in a single VM and the browser in another - thereby prohibiting any leaks, unless an adversary has a VM escape RCE.

what about Tails?

>But we all know they have discovered a vulnurability in the TOR protocol but won't disclose it.

Really? Perhaps you could explain how every single one of us found out it is true? Maybe every single one of us has a friend working in the NSA who was willing to tell us, even though he could go to jail for giving away such a secret?

Or maybe you are just making things up.

lmao, this is complete BS. sure it's not perfect and some nodes get compromised. no nation or three letter agency has cracked tor. prove me wrong

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact