[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Not comfortable with the new single-hop system merged into Tor

On 20 Dec (23:38:43), hikki@xxxxxxxxxxxxx wrote:
> I just think that this new single-hop system should have been reserved for a 
> different Tor source/installation, dedicated only to non-anonymous hidden 
> services, not merge it with the regular Tor software. And this for security.
> I once witnessed a software (non-Tor related) that had a special function 
> which was disabled by default, but was accidentally enabled due to a bug 
> that occured during special circumstances, causing big trouble for some. In 
> this case it caused a big money loss for some, but with the Tor software we 
> are talking about the lives and wellbeing of humans.
> How do I know that my hidden service is really running anonymously, and not
> with just 1-hop, besides just trusting the config defaults?
> Please prove me wrong. I'm just concerned here, and just want some feedback.
> Thanks for understanding!

Hi Hikki!

Thanks for your input, this is a very legitimate concern and I will try to
address it as much as I can from my Tor developer perspective.

First, we had many discussion about the naming of this configuration option
because we were quite worried that it would be too easy to make a mistake or
enable it because some configuration posted online on a pastebin was setting
it on. This is why we want with the need for _two_ options where one is VERY
obvious that you are going to lose your anonymity.

    HiddenServiceNonAnonymousMode 1

Second, once this is set, multiple things are disabled on your tor because of
safety issues. *All* client side services such as the SocksPort have to be
disabled because that option means that your _entire_ Tor instance goes into
non anonymous mode for hidden service. This is too much of a risk to let users
run client side functionnalities. Tor2Web (which I personally dislike) is
still an option for client to lose their anonymity and thus reach an hidden
service much faster but it's something you have to compile in as a safety
measure which Tor Project does not distribute compiled in.

Third, with a single onion service, you can NOT run a normal onion service on
the same tor instance again for security issues. Once you turn your tor
instance in the "non anonymous mode", it will stay that way unless you mangle
quite a few things which is NOT obvious!

You can also check in your onion service directory that this file is NOT
present "onion_service_non_anonymous" which is put there if tor is configued
for single onion service.

Now to your concern of "What if we have a bug in the code that actually makes
all new onion service become single onion service?"

To be honest, that is the uncertainty of computers and programming that will
probably never go away. It will _always_ be possible that something goes bad
in the code. We have MANY other features and functionnalities in Tor that if
they go bad, it will be worst then having your service become an onion
service. But, this is where I guess people using Tor have to trust a bit the
Tor Project that we did our best for the safety of our users which is the
number *one* priority at all time for us, period.

On a side note: With the next generation onion service (we hope by mid-2017 so
~6 months), every onion service will advertise in its descriptor that it *is*
a single onion service and we hope to make the circuit viewer in Tor Browser
show that when visiting a single onion service.

I hope this help answer some of your concerns!


> -Hikki
> -- 
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Attachment: signature.asc
Description: PGP signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to