If you are running an onion service but don't need to hide the server IP, like you do if you also provide clearnet access to the same server, you should enable single hop mode [0] to reduce the load on the Tor network and also speed up the connections. This way your server directly connects the introduction and rendezvous points while the client still stays anonymous with a 3 hop circuit.<p>[0]: Search for HiddenServiceSingleHopMode on <a href="https://2019.www.torproject.org/docs/tor-manual.html.en" rel="nofollow">https://2019.www.torproject.org/docs/tor-manual.html.en</a> or just use the following config options<p>SOCKSPort 0<p>HiddenServiceNonAnonymousMode 1<p>HiddenServiceSingleHopMode 1
> Using onion services mitigates attacks that can be executed by possibly-malicious “Tor Exit Nodes” — which, though rare, are not nonexistent<p>Is there any evidence that the majority of exit nodes aren't malicious? There's only 300 or so in the US, 300 or so in Germany, and in other countries even less. What would it take for three letter agencies to compromise most of it?<p>I mean, suppose all of the existing nodes weren't malicious. Could a government agency plausibly run 1000 exit nodes in a way that doesn't give away they are government-run? This would make the majority of exit nodes malicious.
It is possible to advertise your .onion address and offer automatic redirect to it for Tor Browser users using the "Onion-Location" HTTP header. Example with my personal home page:<p><pre><code> $ curl -I https://pablo.rauzy.name/
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Thu, 10 Mar 2022 14:04:44 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2843
Last-Modified: Sun, 23 Jan 2022 22:21:41 GMT
Connection: keep-alive
Onion-Location: http://c2fk5i7jqn7am7nfo7eb7hwrkclyj3jj4qcwgdh6ievp7v5ie4gd3mid.onion/
</code></pre>
It would be interesting to try to see if the Tor Browser has a TOFU policy and warn its user if the onion address change after they visited the site once.<p>If it is the case then you combine the ease of access of typing a normal domain name and the Onion security through an HSTS equivalent mechanism.
I think the avoiding exit nodes part is probably the most important to me. Exit nodes have always been problematic - from memory about 20% of relays have an exit flag but most of the traffic is directed to the most performant relays. Tor actively discourages using the network for file sharing because of the exit node bottleneck.<p>I think there are probably some uses of the Tor network that aren't fully realised yet - file sharing (something similar to I2P) which avoids the exit node using onion addressing and chat applications (like Briar which uses onion addresses, or Secure Scuttlebutt).<p>As for web traffic, it is nice to offer an onion address. I wonder if websites could offer an "upgrade" to onion addresses, similar to how IPFS does?
I think some comments here are misunderstanding the intent of the
article. For those saying TLS already solves... it is not advocating
Tor as a replacement for transport layer security, indeed most Tor
users also use TLS (and site certs) with little overhead.<p>No, the article is asking how you could, as a website owner, make
things easier on Tor users and yourself! It starts with the assumption
that you care, and want to help users who require better privacy.<p>It answers, though not in detail, the many HN readers who invariably
post replies concerning Tor that "All my abuse comes through Tor".<p>Creating an .onion address mitigates that significantly.
This article beats around the bush but never explains why Onion addresses solve these issues.<p>From Wikipedia:<p>> Addresses in the onion TLD are […] automatically generated based on a public key when an onion service is configured.<p>> 256-bit ed25519 public key along with a version number and a checksum of the key and version number<p>That's all you need to know.
> The first benefits are authenticity and availability: if you are running Tor Browser and if you click/type in exactly the proper Onion address, you are guaranteed to be connected to what you expect — or not at all.<p>What? Writing raw onion addresses is like writing raw IPv6 addresses. Nobody can remember then and check them.<p>What is easier<p>> <a href="https://nytimes.com" rel="nofollow">https://nytimes.com</a><p>or<p>> ej3kv4ebuugcmuwxctx5ic7zxh73rnxt42soi3tdneu2c2em55thufqd.onion
> “.onion” address demands that the person is using a TorBrowser<p>Actually this is not true. Tor runs as SOCKS5 proxy, and you can use any browser or application with it.
I think the only legit reason (assuming your clearnet site is using HSTS) is that .onion site reduces the risks of users screwing up. And i suppose better performance if you don't have to use exit bandwidth (i would guess, dont actually know)<p>Users are bad at security. If they fail to set up tor, .onion links don't work, so it acts as a barrier against users shooting themselves in the foot.<p>This is counterbalanced by higher phishing risks.
Most of the technical points listed here are pretty much entirely mitigated by TLS. Exit nodes can of course deny access to specific sites, but hidden services suffer from comparable (or worse) issues.<p>There are no other practical attacks that malicious exit nodes could execute against sites using TLS and HSTS preload lists. If you’re a website administrator, fixing those things should be your priority before implementing onion addresses.<p>Onion addresses also come with slight drawbacks. They’re difficult for users and more vulnerable to phishing. Hidden services are also extremely vulnerable to CPU-based DoS attacks.
It's much harder to deanonymize people who are connecting to hidden services because they don't have to use exit relays which are often illegal to run.