How Secure Is Using ENS for Tor .Onion Addresses?

As previously announced, the Ethereum Name Service (ENS) now supports the resolution of Tor .onion addresses. This is just another way ENS is supporting things beyond the Ethereum ecosystem.

This is accomplished practically by combining ENS with use of the browser add-on MetaMask in the Tor Browser. You can read more about this setup and how to use it here, and you can find a list of ENS names that resolve to Tor .onion addresses here.

This post is dedicated to answering the important question: How secure is this setup?

If you’re using .onion websites in the Tor Browser, security is likely a high priority for you. Even if this setup makes things more convenient, it wouldn’t be worth it if it significantly compromised user security. This is why Tor .onion addresses don’t use traditional DNS, which is too insecure.

As with any technology, there are security trade-offs with this setup. Perfect security doesn’t exist for any technology. Nonetheless, we believe ENS provides enough security to meet the needs of most Tor .onion users, and that this setup is a working solution to the long-standing Tor .onion naming problem. There are also different configurations users can use that have greater or lesser security. All of this will be explained in this post. And of course, all users use this technology at their own risk.

Four components

There are four major components in this setup which we will examine in turn:

1. ENS
2. MetaMask (browser add-on)
3. Access to the Ethereum blockchain
4. Tor Browser

ENS

ENS is a naming system that exists solely as a set of smart-contracts on the Ethereum blockchain. Both the logic of the naming service and all records are stored on Ethereum. ENS has no servers. And all of its code is open source and available on Github.

ENS is a general purpose naming system that can, in principle, provide naming for anything. But for our purposes, it has a record type called Content which supports .onion addresses, among other things.

The native TLD of ENS is .ETH. You don’t have to get anyone’s permission to register a name, you simply have to interact with the ENS smart-contracts on Ethereum. Though you can do this directly yourself or use any of a number of services, the easiest way to do this is with our Manager (See: Step-by-Step Guide to Registering a .Eth Name on the New ENS Registrar).

ENS is designed so that cryptographically only the owner of a .ETH name has the capability of setting its records. All records are public on the Ethereum blockchain, so anyone can check the records of any name (e.g. using our Manager).

It’s also possible to register a name, set its records, and then transfer control of the name to an Ethereum address no one controls (e.g. transfer both the Registrant and Controller of a name to “0x000000000000000000000000000000000000dEaD”; this can be done and verified with our Manager). That way, everyone can be certain the records as they currently exist cannot be changed by anyone and so will remain the same.

This is particularly helpful for achieving high security for Tor .onion users, because it can ensure the name won’t be used for phishing (e.g. someone sets a name to resolve to a legitimate .onion address, gains trust of users, then changes the name to resolve to a different .onion address of a phishing site that appears identical to the legitimate .onion website).

In ENS, .ETH names have a yearly registration fee, which for most names is $5. Even if control of a name has been given up, the registration for the name still has to be kept current, or else the name is released. However, ENS is set up so anyone can pay to renew any name to keep a name’s records active, even if they don’t control the name. Registration fees can also be paid ahead as much as you’d like (e.g. you can pay $25 to renew a name for 5 years). How much time is left on a name’s registration is public. You can check to see when a name is set to expire, as well as pay to extend its registration, by looking up the name in our Manager.

What all this means is this: if a .ETH name is registered for a long period of time, if its records are set up correctly, and if control of the name has then been given up, there’s just about no way ENS can go wrong. It can’t be hacked, a government can’t order it to be changed, it can’t be changed by anyone — and thus it can be trusted with highly sensitive tasks like reliably resolving a specific .onion address.

There are only two other possible ways an ENS record could be changed in such a scenario, both low probability events: First, if the root key holders of ENS decided to redeploy a whole new ENS for the purpose of making a change to that one ENS record — which is highly unlikely, and a power they will soon be giving up anyway. Second, if the entire Ethereum community decided to hard fork the entire Ethereum blockchain for the purpose of making a change to that one ENS record — which is even more unlikely, to say the least. And if something like either of these things ever happened, it would be such big news you’d hear about it (neither could be done easily, quickly, or covertly), with plenty of time to adjust accordingly.

MetaMask

The Tor Browser doesn’t have native support for ENS, so that functionality has to come from a browser add-on, in this case MetaMask.

MetaMask is an open source browser add-on that enables a normal web browser to interact with the Ethereum blockchain. You can use it to manage an Ethereum wallet, interact with Ethereum dapps (decentralized apps), submit transactions, and more. It also supports ENS.

For our purposes, MetaMask is the component that recognizes that you’ve typed in an ENS name in the URL field, prevents the browser from either pinging DNS or running a search, and checks the ENS records for the given ENS name, specifically the Content record. If it finds a .onion address, then it simply enters that into the URL bar, after which the Tor Browser navigates to it normally.

To use this setup, you of course have to trust MetaMask’s code (as well as make sure you downloaded the real MetaMask add-on, and not a spoof). MetaMask could be compromised to do something malicious, whether it is to provide you with an incorrect .onion address or spy on you. But its open-source nature makes this highly unlikely. MetaMask is widely used and its code is open for inspection, contribution, or forking on Github.

For higher security, the Tor Browser team could include the same functionality currently provided by MetaMask into the Tor Browser natively (even using the MetaMask codebase), but for now you have to use MetaMask.

Access to the Ethereum blockchain

This is the part where users have some choices to make regarding security vs. convenience.

MetaMask has to have access to an Ethereum node in order to look up the ENS records for ENS names. There are three options of how to do this, with different trade-offs:

First, you can use a service. This is less secure but highly convenient.

MetaMask defaults to accessing the Ethereum blockchain via a service called Infura. Infura runs a number of Ethereum full nodes and allows people to interact with them via its API. This involves a certain level of trust. Infura is a well-known, trusted company in the space, so for most users leaving MetaMask on its default of using Infura should be good enough.

Second, you can run your own full node. This has the highest security but is less convenient.

You can run a full node with a program like Grid, which lets you to choose from a few implementations, or run a full node implementation like Geth directly.

Running your own Ethereum full node provides you with the highest possible security for access to the Ethereum blockchain, since you will have a full copy on your local machine and be a full member of the network.

Syncing a full node can take a few days depending on your machine and connection (more on resource requirements here), but once it’s up-to-date it doesn’t take too much to maintain. Once you have a full node synced, you simply select in MetaMask for it to use your own local node as its connection to the Ethereum network, rather than its default service.

Users who have the highest security needs should run their own full node.

Third, you can run a light client. An Ethereum light client stores far less information than full nodes, and so is easier to run, while still maintaining very high security.

The Ethereum light client space is mostly experimental right now, so this is not a viable option at the moment. But in the future, it should be possible for users to run a light client instead of a full node, or even for the Tor Browser to come with an Ethereum light client built-in, which could be both highly secure and very convenient.

Tor Browser

This is the last step in the process. If the ENS name and record has been set up properly, if MetaMask is installed and working correctly, and you have reliable access to the Ethereum blockchain, the Tor Browser takes it from there and is what actually navigates you to the .onion site, just as it normally would if you had typed in the .onion address manually.

Conclusion

We believe this setup is secure enough for most users of Tor .onion websites and thus is a working solution to the long-standing naming problem for Tor .onion websites.

Anyone can set up an ENS name to resolve to a Tor .onion address (how to do that is explained here). But to demonstrate this feature and to get people using it, we have set up some ENS names to resolve to useful .onion websites, listed here.

There are also ways the Tor Browser team could make this setup even more secure. As mentioned previously, the Tor Browser team could choose to natively integrate into the Tor Browser directly the functionality of MetaMask, and even provide a native means for accessing the Ethereum blockchain (such as a built-in light client, or an API service maintained by the Tor Project). But that’s up to the Tor Browser team. We’re open to serving them and the greater Tor community however we can.

If you’d like to contact us, you can email us at brantly@ens.domains, or ping us in our Gitter channel or forum.