New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
100% anonymous onion hidden service?
When one have a home computer or a VPS in datacenter and want to host an .onion website (HTTPS enforced) on it. Is there 100% anonymity so the destination IP of the server is not discovered even person who wants to find the IP have access to the Exit node that transacted encrypted data between relay and hidden(or not hidden at this point) service? Why not anonymous and how can be anonymous? Thank You
Comments
Unfortunately, what you've found is the one big weakness in Tor. When data goes through exit nodes, it can leave unencrypted, since you're leaving the Tor network.
You're not going to get any more encrypted unless your visitors use https (through the Tor network).
hello,
as far as i know, only Facebook onion got https (which got issued just for them). so clearly is not possible to use https on a onion website for all others, in fact that can be useless due the nature of tor and its encryption mecanisms.
link-1 https://www.reddit.com/r/TOR/comments/1bxw2n/how_to_enable_sslhttps_for_onion_domains/
link-2
https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs
all depends on what you will be hosting on that hidden service, what scripts, etc.
those scripts particularly could unmask your real server/vps ip address, etc.
Have fun with this article:
https://riseup.net/en/security/network-security/tor/onionservices-best-practices
Cheers.
i don't get it? a tor service does not cross the exit at all, and while tracing is possible under some circumstances it is hard to impossible unless you have insane resources available (think gov, and then only for very specific things and not some imageboard or some crap).
Pay your server by BTC and order via Tor and you'll be rather unlikely to be ever traced - especially as any abuse or similar is likely a long time after order, and then the circuit is not to be traced anymore.
You don't need HTTPS (connection is already encrypted), but you can use a self-signed certificate. You can run your onion site in a VM and only allow connections to/from another VM that serves as a gateway. You can furthermore play with the Tor settings for enhanced anonymity.
There's your 100% secure, anonymous, impossible to hack onion.
That's a really big NOT true. As the posts stated earlier, that traffics outside Tor network(which gives you anonymity to your own identity ONLY) can be sniffed, or MITMed if both entrance/exit has been tapped.
HTTPS is always better as it 'at least' encrypt end-client to server requests, instead of transferring it in plain.
Guys if you're way too retarded to even know what an ONION HIDDEN SERVICE is, then kindly, do not post your bullshit in this thread.
You took retard to a whole new level, Hidden Services (.onion) do not go through exit nodes.
Let me enlighten you with pictures:
It's pretty simple, for detailed on how they operate: https://www.torproject.org/docs/hidden-services.html.en
You do not need https on an onion service as it's already encrypted, the only reason Facebook did it with their onion service is to prove their legitimacy for onion services. I'd only ever recommend using a SSL certificate on tor if you're a big company like facebook. As per "impossible to track, secure, anonymous" yes, it is hard to track and locate onion services, but it is by no means impossible, I think Silk Road really proves that, among other HS that have been taken down, the cops if they really want your onion service down, they will find a way to do it and find you. You can only take basic precautions such as ordering with bitcoin, and using tor to order, but even that won't protect you if you make an opsec failure.
tl;dr: you're an idiot, don't run a hs
They were busted differently, other services have been busted by exploiting a backend server and connecting outwards or tracing and outwards connection.
Can be avoided, but ultimately you only shift the focus - Force outbound of a VM via Tor avoids the connection issue if hacked, pay anonymously, use political also to advantage (while it sounds objectively strange, a Russian court and similar is rather unlikely to deliver data to the US and obviously even more in reverse plus even if there are treaties and similar outside of EU and dependent countries (under full control but theory-independent, eg. US->Samoa) these take years to do anything).
Yeah, I was only listing them as an example that busting has happened before, only one I could remember off the top of my head. But yes, it's very possible if a government agency wants to track and put a stop to your hidden service, they're going to figure out where it is and who you are, it isn't a question of if but when.
I agree on William's stance, but your stance on the government catching you then it only happens when you make mistake so any hs that has been alive for a long time will have a pretty good sysadmin behind it ensuring his safety then you got guys like pirate that has his btc linked and then get's arrested.
But, we have to take a look at reality here is eventually, even if you have a team of sys admins protecting your server and you have no known vulnerabilities, who knows what could happen, all it takes is for 1 mistake, and since in reality you're not going to have it managed and monitoring 24/7, all it takes is 1 mistake.
If you want to know if something is secure then look at what the NSA is trying to shut down or has shut down such as TrueCrypt. I think they are also trying to shut down Tor or are at least very concerned about it.
They are not and don't have the ability to either at this time, it being cross financed by the Navy and being used by special operations and other agencies (you can bet on that...) make it highly unlikely as well.
Are we talking about the same thing? I am talking about this.
https://www.torproject.org/
1.8m$ from the US gov in 2013 - https://www.theguardian.com/technology/2014/jul/29/us-government-funding-tor-18m-onion-router
2014 was somewhere around 2.4mil, with 90% of that + from US gov or US gov related.
Sourced from DoD and DoS indirect, direct from DoD and the NSF.
That is odd that some US gov't entities are funding it (probably to encourage freedom of speech in places like China, Russia, and Iran) while the NSA is trying to break it for totally different reasons.
Doesn't the US government (un)officially run a large amount of the exit nodes, meaning they're able to tracking users as the go in/out of their nodes?
Maybe i'm thinking of the chinese and bitcoin miners.
Francisco
I do remember there being some large thing about the US government running exit nodes. They aren't donating for free speech, I can tell you that much.
Not really, the exits are pretty evenly spread between US and EU ISPs currently if we assume 80/443 as used port, and around same split in private and org ones - largest being a few VPN providers and TorServers.
They have no influence how this money is/was used, it is essentially cash given to the foundation.
of course its possible to track it with sufficient effort, its a packet switched network, there has to be some kind of address information in the packets. Even though it is encrypted while in the onion network and stripped at the exit there is still a time coincident path to follow, and the encrypted traffic still has routing info.
There are some theories to that, i have a few also that work pretty well on paper but need high (but not impossible, and partly proven to exist for a few agencies) resources.
Eg. given enough traffic moved on one side (fake clients) you can dump foreign exchanges/transit ports and trace the amount of traffic fluctuating to specific networks (a time based attack as hard method, or a traffic marked - not possible with current Tor version AFAIK - as easy) to see a possible backend host (has flaws and i also have theories to avoid it). The scope of the agencies with this access is however not your average drug market (they most likely sell on that anyway with just 1 or 2 connections away) or illegal porn, these are clearly focused on terrorism (definition partly questionable) and more interesting things (read: war and infowar). Sort-of legitimate governments also need to explain the source of material used in convictions, which makes it hard to give this info to an agency that cares/has the constitutional contract to execute unless you can come up with a 100% "legit" backdated story.
There are some theories to that, i have a few also that work pretty well on paper but need high (but not impossible, and partly proven to exist for a few agencies) resources.
Eg. given enough traffic moved on one side (fake clients) you can dump foreign exchanges/transit ports and trace the amount of traffic fluctuating to specific networks (a time based attack as hard method, or a traffic marked - not possible with current Tor version AFAIK - as easy) to see a possible backend host (has flaws and i also have theories to avoid it). The scope of the agencies with this access is however not your average drug market (they most likely sell on that anyway with just 1 or 2 connections away) or illegal porn, these are clearly focused on terrorism (definition partly questionable) and more interesting things (read: war and infowar). Sort-of legitimate governments also need to explain the source of material used in convictions, which makes it hard to give this info to an agency that cares/has the constitutional contract to execute unless you can come up with a 100% "legit" backdated story.
To not be traced i need not to connect server (SSH, control panel) from within other thing than Tor/SSH via Tor i assume.. right? That may not be convenient.
I assume there is not much providers who are cost-effective (OVH, online.net..) and do not use Maxmind and other anti-proxy/anti-Tor protections. (See my other topic: https://www.lowendtalk.com/discussion/77567/proxy-registration-allowed-provider )
in case destination is not hidden service and someone own both exit and relay (entrance) node, he may(not sure) know from where to where traffic goes, and thanks to exit node he may know content because of non encrypted traffic (if HTTPs connections not used)..?
In case hidden service is the target and it is protected from leaking information, they would need find the flaw/hole in Tor to discover physical location of the HS i assume. So after all we can say that Tor hidden service is not anonymous no matter what its admin do? Is there any anonymous way to run home server?
hm? SSH does not need speed and is secure, you can just chain Tor+I2P+public VPN+hacked proxy and the chance of trace is near the absolute zero by pure technicalities.
Use resellers.
no? How would he? He does not own the relay nodes (at least 1, likely 2, configurable up to 5+) and the traffic passes through them, what you mean is a network size attack which is - at this time - not easily possible as a large amount of new nodes would get marked and ultimately disabled (see Lizardsquad with the carded Google cloud instances).
The fuck? It's as anonymous as it get's, if you want more buy a sat dish and move to the Sahara - Sat can only be traced to a beam spot, in KU Band that's like 100km+ radius.
Actually, scrap that sat unless you live in a large area with limited access (like Mossul or Erbil) - while the sat provider can only trace the connection to the beam a local plane could detect outbound signals and triangulate them down, as could a bunch of high set up probes locally.
As before - There is no perfect security in anything, you just higher the probability of issues and thus the cost and time involved.
What do you think you can infer if your server has its network port disabled temporarily, and your hidden service just so happens to go down at the exact same time? Or your hidden service always goes down when there's a complaint about a specific datacentre or ISP having problems?
Dafuq, dont buy shit. Normally you have a good uptime in case it goes down.
Move your private key, put the server online again within 30 seconds, so it wont have the same pattern as a outage at your ISP. Simple.
How you can measure how much time is too much to match the ISP outage?
When running hidden service from home i would plan getting router that would join multiple ISP connections to preserve uptime. How do you mean that with moving key in 30 seconds?
by network port you mean connectivity broken on the ISP side? If there is some clever watcher who watch ISPs downtimes, how he can still match my location while ISP serving many many thousand people?
Maybe solution to have multiple ISP connectivity with quick failover done on the router side
You dont need to mesure it, just create a failover, the private key auth yourself as owner from the .onion domain. If you downtime is shorter then the ISP outage, the outage has a different pattern and is harder to match.