Hacker News new | past | comments | ask | show | jobs | submit login

This article is obviously written by someone that doesn't know what they're talking about.


This is not a "0day".

>As it turns out, this is an open secret among the internet service community: You are not anonymous on Tor.

Careful there with the big assertions.

>The last hop is the exit node. It can see all of your decrypted network traffic.

I thought we were talking about onion services here, why the subtle context switch? Does the author even know that onion services don't use exit nodes at all?

>(Don't assume that HTTPS is keeping you safe.)


>One claimed to see over 70% of all internet traffic worldwide. Another claimed over 50%

The key word here is "claimed".

>If you're a low volume hidden service, like a test box only used by yourself, then you're safe enough. But if you're a big drug market, counterfeiter, child porn operator, or involved in any other kind of potentially illegal distribution, then you may end up having a bad day.

I like how the author assumes that these are the only two uses of Tor.

>you simply need a list of known onion services

Good luck getting that with v3 addresses (unless the author of the service has poor OPSEC).

Not to mention that Tor has provided many fixes for the DDoS issues, but the author obviously didn't mention them.

>>(Don't assume that HTTPS is keeping you safe.)


because https depends on certificate authorities and CAs depend on coercible companies which depend on governments from not molesting them.

The existence of QUANTUM INSERT and FOXACID attacks show CA-based authentication is weak (either due to their keys being compromised or coerced). DigitNotar also got pwned.

Strong authentication is one of the unrivaled advantages to onion addresses in tor.

The CIA also advocates to not solely rely on TLS for transport encryption: https://news.ycombinator.com/item?id=24426818

That's all true. But surely that's not specific to Tor, is it?

The author is salty that Tor would not fix a "bug" of being able to tell a publuclly listed Tor Node is a Tor Node.

> Does the author even know that onion services don't use exit nodes at all?

Does this mean that traffic correlation and confirmation attacks cannot be performed on users of hidden services?

No, those attacks still work. Traffic correlation and timing attacks don't actually interact with Tor at all; while a Tor exit relay is a good spot to be in for one (if you're targeting streams that use it), all you need is two vantage points that uniquely identify the network route as a whole. So e.g., the client and server's respective ISPs, or in the case of an onion service, both guard relays. GP is correct though, onion service connections are e2e encrypted, there's no vantage point on the network that sees any plaintext or TLS client traffic. The author of this blog clearly has no idea what they're talking about.

Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact