Tor Hidden Service talk
A few weeks ago I gave a talk covering my experience setting up a hidden service version of knek-tek.me on a Beaglebone Black. The main idea I wanted to get across to the audience was an answer to the question “Why would I want to run a hidden service if I’m not a terrorist?” Tor often gets mentioned in the media only in the context of people doing very bad things, but for people doing very good things or even just very mundane things, Tor and especially the location-hidden service capability has a lot to offer.
View the presentation’s PDF here: Hidden services for newbies
I cover a few famous examples in my talk, specifically Facebook’s creation of a .onion version of their web service which gets nearly 1 million visitors a month (combined with people visiting www.facebook.com over Tor). Aphex Twin released a new album in 2014 that was only available as a .onion link that he posted to twitter.
With the recent removal of privacy protections that would have prevented ISPs from selling their customer’s browsing data, HTTPS is no longer enough to browse the web securely and privately while avoiding marketers. When you use HTTPS, it encrypts the data going between you and the website, however your ISP (and the ISP of the website) can still see that you are visiting that website at that date and time. The only way to get around that is to stay completely within the Tor network, which requires using a hidden service version of the web or internet service you’re accessing- and that is different than just using the Tor browser to visit “regular” sites.
Another issue is cost. The clear web is the commercial web. Setting up a domain in the clear web requires paying a domain name registrar, paying for whois privacy, paying for an SSL certificate to enable HTTPS (unless you use Let’s Encrypt), and possibly paying for web hosting and a static IP address. Contrast that with setting up a .onion: there is no domain registrar to pay since the Tor software automatically generates a .onion address for you, there is no whois directory so your privacy and anonymity are assured by default*, and it is possible to have a 100% free/libre open-source software stack, all the way up and down. The best benefit of all is that no one, even ISPs, can see who is using your service or when.
That service could be a website, which is probably the most common use of a location-hidden service, but it could also be email, ssh access, ftp, telnet, … anything you can do over the internet you can do over Tor, and within Tor using .onion services.
The slides cover more benefits in greater detail and I hope that more people will consider offering a secure, anonymous version of their internet service, whether it is a website or an online game or social media, if for no other reason than to prevent ISPs from selling all our data to marketers.
*although you can still mess those up if you mis-configure your website.