Onion Synopsis for Susan Hennessey


Text Begins

  • Tor Onion Services (not necessarily “Hidden”) are a novel and under-used security technology which offers (like all other security tools offer) complementary security value for implementing secure network communications in a “defence in depth” style.
  • Credentials: I implemented the Facebook Onion Site; since that time I have worked on the open-source “Enterprise Onion Toolkit” (EOTK) which quickly and simply enables sites to add Onion addresses to augment their existing WWW website.
  • Why would this be useful? As I have been quoted in the Guardian recently:
“[Criticism of Tor is actually] about whether we want to permit people to have:
* secure
* robust
* DDOS-resistant
* highly-available
…communication mechanisms which are not referent to some central authority, ie without someone being able to shut them down. All the qualities I cite above are ones which would be highly desirable in enterprise contexts.
So: the ‘Dark Web’, far from how it is usually painted, is in this case merely providing the manner of security and robustness which costs other organisations considerable amounts of money.”
  • The original source quote continues:
“You’ll note that I haven’t said “secret” or “anonymous” because we know exactly who the DailyStormer people are, and they are most certainly not being secretive.

…just to drive home the “this is not about anonymity” point.

Simply, [the blog post is] as short-sighted as any other perspective that sees Onion networking as an anonymity tool, rather than as a better-than-mere-TCP+SSL mechanism for providing communications privacy, integrity, availability and assurance.
In case those terms need spelling out:
* onions provide circuit-level privacy on-par with the likes of VPNs, but without the setup hassle.
* ditto, providing integrity at the circuit level, thereby inhibiting the likes of (say) “sslstrip
* availability of a service; I’m finding it interesting to consider that the TCP/IP Internet requires the existence of companies (mentioning no names) to provide DDoS mitigation, but sites which set up with Onion addresses are getting comparable levels of DDoS mitigation for free. Tor blockproofing and (importantly) Onion DDoS-protection is pretty good.
* assurance: if you can type in the (static) Onion address, you know immediately with whom you are communicating.
Proposals to undermine these qualities in the name of $GOAL are on-par with Law Enforcement demands for “golden keys” to undermine the integrity of end-to-end encrypted conversations
Practical example: the point of the Facebook onion site is to provide the above-listed four benefits — plus a better quality of service — to people who choose to access Facebook over Tor; the point is to free the communications path from mediation of any form. To see this as a threat, or to argue that “well maybe $THIS_SITE is okay, but $THAT_SITE should not be afforded such protection” — is to call for censorship.
  • In summary: Tor is a free tool which provides “the common man” — or even a major corporation — with means to robust communication without intermediation. The overall question is one of morality, viz: is there security which is “too good” to be permitted to the common man? I strongly believe that our last year of argument re: E2E messaging, has adequately addressed that issue.
  • Perhaps you are looking for specific “instance” use-cases; they exist, but of course are more prone to nitpicking than demonstrating the abstraction of “Tor is an immensely useful security tool.”
  • If I were forced to pick one as a strawman, I would suggest a newspaper in an oppressive country, at risk of takedowns from a corrupt government with its fingers in the DNS, at risk of blocking from state ISP firewalls, at risk of connection tampering or interception at national network egress points, and without the budget to engage (or legally prohibited from using) Cloudflare. Adding an onion address can and would mitigate all of those risks.
  • But then: would that analogy be to your taste? Perhaps if the newspaper was in (for instance) Turkey or Iran?

Followup Tweets

Observations from https://twitter.com/meejah

  • If someone gets “http://timaq4ygg2iegci7.onion “ from me, they can be assured they’re getting authentic txtorcon documentation and software
  • Users of https://tahoe-lafs.org can provide storage-services via onions and not worry about NAT penetration issues
  • Users of https://crossbar.io can provide RPC and PubSub services where users are assured of who they’re talking to, avoid NAT issues, etc
  • Users of https://onionshare.org/ can exchange files easily while being assured of whom they’re talking to, avoid NAT issues, etc
  • Users of http://magic-wormhole.io can set up secure links between each other without revealing their location to the rendezvous server
  • The above are concrete examples of what @AlecMuffett outlined in his post: onion services aren’t *just* about location-anonymity
  • Why should “stable Internet presence” (which isn’t actually stable: DNS can be spoofed/taken away/etc) be a prerequisite for communicating?

Comment from Ben Laurie

  • Ben noted: On assurance: what you know is which key you are talking to, not whom.
  • I responded: Yes, Ben, that is perfectly correct; my unstated simplification is to assume unique possession of the key and also a tight binding between key and {person, organisation}; I feel this is fairer & tighter than afforded by the combo of IP, BGP and DNS. [edit: & SSL, for completeness]
  • In short / less technically, Onion Networking adds “security value” which does not depend upon third parties — the value which is of comparable, even equal or greater worth than the sum of several extant technologies which address the same problem space on the TCP/IP Internet.