Next-Generation Hidden Services in Tor

I haven't seen this mentioned on here before. I heard about this project earlier this year on a podcast. I pulled part of the show notes https://www.grc.com/sn/SN-596-Notes.pdf

Later this year, Tor's "Dark Web Technology" will become even darker. The change will prevent "discovery" of otherwise unknown hidden services.

Normally Internet traffic jumps visibly from one router to the next, and it's entirely traceable.

So the TOR project (originally an acronym for The Onion Router) started off by implementing a layered encrypted "onion" of data packets which allowed multiply-encrypted traffic to converge into a subset of the internet's routers -- the Tor network -- to emerge elsewhere and to thwart tracing specific traffic.

Client traffic would ultimately emerge back out onto the public network... where it could be seen.

So "Tor Hidden Services" were invented to allow the TOR network to CONTAIN the end-services that Tor users might wish to visit.

Without knowing a hidden service's address it has been possible for hackers, law enforcement, security firms, snoops and others to discover those services independently.

A study shared at last year's DefCon revealed that more than 100 of the 3,000 hidden service directories were apparently being used to spy on the network.

Developers involved with Tor have said "The only people who should know about your hidden service are the people you tell about it. While that's a pretty simple concept, it's currently not true."

The next generation of hidden services will use a new method to protect the secrecy of those addresses. Instead of declaring their onion address to hidden service directories, these hidden services will, instead, derive a cryptographic key from the onion address, and THAT derived key will be placed into Tor's hidden service directories. Then, any Tor user who KNOWS the name of the hidden service they want can perform that same derivation to check the key and route themselves to the correct hidden service.

Since the hidden service directory cannot derive the onion address from the key, only those who know the hidden service's key can discover the hidden service's address.

As Tor Project co-founder Nick Mathewson said: "The Tor network isn't going to give you any way to learn about an onion address you don't already know."

The next generation of hidden services will also switch from using 1024-bit RSA encryption keys to shorter but tougher-to-crack ED25519 elliptic curve keys.

These changes also mean that hidden service urls will change, too, from 16 characters to 50. But Nick argues that change doesn't effect the dark web addresses' usability since they're already too long to memorize.

I checked out the tor project website it looks like the hidden services team is getting close to implementing this. https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt


Comments


[4 Points] PM_ME_UR_SKETCH:

Hey more security more better right?


[4 Points] ObviouslyShill:

Agora rises again.


[1 Points] jarxlots:

Still protects routing information to the point that those using your service can be identified by the key used to derive the address. Still traceable, just not as openly 'discoverable'.

But I'll wait for them to release so I can more accurately criticize.


[0 Points] Ceilingbricks:

nice. not cool that pedos can hide easier.