Tor's Fall Harvest: The Next Generation of Onion Services

If you are looking for a practical use of hidden services: we use them as ingress for Docker and K8 management.<p>You start a container that runs just tor with a config and can read the routing endpoints from your config, or link to localhost:2375<p>HiddenServicePort &lt;onion port&gt; &lt;host&gt;:&lt;port&gt;<p>You setup HiddenServiceAuthorizeClient with stealth auth type and a list of authorized clients.<p>You can lock your firewall rules down as the hidden service only requires outbound to HTTPS.<p>On the client end you setup regular Tor with HidServAuth &lt;onion address&gt; &lt;auth-cookie&gt;<p>With stealth auth other tor users won&#x27;t see the serivce and port published without the auth cookie<p>You can then use socat to bind the remote hidden service and port to a local host and port:<p>socat tcp-l:127.0.0.1:2023,fork socks4a:onionaddr.onion:localhost:23,proxyport=9050<p>You then have the remote ssh server available locally with no public interfaces, no public ports, and an additional layer of confidentiality and authentication

Here&#x27;s a question I have on this -- I&#x27;ve been eagerly awaiting the new functionality to have onion addresses where using them doesn&#x27;t reveal their existence. So the address itself becomes a form of shared key.<p>But this opens another possibility of one-time addresses, and address scalability. My question is, does network cost increase with number of addresses? If peers on the network are using one-time addresses to form circuits, will that scale fine?<p>Basically I am envisioning two people communicating via dedicated addresses for their own use only. So a single key becomes a network channel to send data to a specific peer. That &quot;peer&quot; could actually be many different devices, but all ultimately connect to the same distributed application with a shared state.<p>So basically onion addresses are usernames which also let you pipe data to that user, right? How is this not the coolest thing ever?

I decided this was just the right occasion to propose DV certificate issuance for these names:<p><a href="https:&#x2F;&#x2F;cabforum.org&#x2F;pipermail&#x2F;public&#x2F;2017-November&#x2F;012451.html" rel="nofollow">https:&#x2F;&#x2F;cabforum.org&#x2F;pipermail&#x2F;public&#x2F;2017-November&#x2F;012451.h...</a>

The issue I&#x27;ve always had with onion addresses is that you can&#x27;t remember them, which means you need to keep a list of bookmarks saved locally somewhere, which–if you&#x27;re using tor to avoid prosecution–is pretty incriminating. What&#x27;s the solution?

&gt; And finally from the casuals user&#x27;s PoV, the only thing that changes is that new onions are bigger, tastier and they now look like this: 7fa6xlti5joarlmkuhjaifa47ukgcwz6tfndgax45ocyn4rixm632jid.onion. For more information on the nitty-gritty details, please check out our technical specification.<p>It&#x27;s a shame they don&#x27;t have a description for technical users. I&#x27;m more interested than &quot;bigger, tastier, and looks like this&quot;, but less interested than 13000 words of specification.

Being undiscoverable is a big help. For our ancillary services, we&#x27;re taken to using Tor2Web to auth mode HS servers because some random domain is less likely to look interesting for people to poke at. Publishing a .onion, especially with some general-purpose software hosted on it screams that there is something of interest there.

I used to use Tor to bypass censorship on pr0n in my country and ended up trying to run a hidden service for fun. My biggest peeve with was the domain name. I mean, sure I understand why it isn&#x27;t human readable but then there are so many ways to counter that. We&#x27;ve got the blockchain and we have the IPFS way to handle these things too.<p>I&#x27;m hoping at some point blockchain DNS systems are adopted by mainstream (or niche in case of Tor) vendors. It would make it so much much easier to name onions.

I have mixed feelings about Tor. As a proxy to hide your IP address it makes perfect sense to me.<p>But what&#x27;s the end result of hidden services?<p>I want to be anonymous sometimes but I can&#x27;t think of a time when I want the host of a service I use to be anonymous.<p>In most situations their identity is actually important to me. I want to know the source of news, to trust that I&#x27;m sending a message to the right person, to trust that I&#x27;m not relying on a site run by some kid in her parents basement.<p>And I know that legitimate sites can get certs for onions these days (like facebook)... But doesn&#x27;t that defeat the original purpose of running a hidden service if the purpose is to hide the owner?

&gt;Get in touch if you&#x27;d like to sponsor us to work on onion services to make them faster, slower, or stabler.<p>That&#x27;s a strange comment.<p>Why would they accept money to make the TOR system slower?

Does it fix the LONG standing issue that Dr. Krawetz keeps discussing on his blog that makes it trivial to DOS an onion site? Description in the section about ‘Eddie’.<p><a href="https:&#x2F;&#x2F;www.hackerfactor.com&#x2F;blog&#x2F;index.php?&#x2F;archives&#x2F;762-Attacked-Over-Tor.html" rel="nofollow">https:&#x2F;&#x2F;www.hackerfactor.com&#x2F;blog&#x2F;index.php?&#x2F;archives&#x2F;762-At...</a>

How about a working implementation of the HORNET paper?

The article is really interesting and valid.

Great story. I love the future.