Which vps hoster allows tor hidden services?
- Thread starter peterw
- Start date
Most providers don't have any issues with entry relays and transit relays. It's the exit relays that many people do not allow and it's the exit relays that contains the biggest risk.
Some providers would prefer to stay away from that headache all-together and therefore could ban the use of TOR in general.
Personally, I find it's applicability and it's reasoning, but I feel that it's abused way too much that I'd prefer not to support it. But hey awesome for those who do!
Some providers would prefer to stay away from that headache all-together and therefore could ban the use of TOR in general.
Personally, I find it's applicability and it's reasoning, but I feel that it's abused way too much that I'd prefer not to support it. But hey awesome for those who do!
As long as it's not an exit node, I' m okay with it. As Half Eaten Pie was saying, this is pretty much standard for most hosts. Although it does bring on a whole new set of possible abuse that would normally not be there.
Some providers will allow TOR, but not IRC, go figure.
Some providers will allow TOR, but not IRC, go figure.
No one outside of your VPS knows it's hosting a hidden service.
(but of course it's still a VPS, so the provider can dig in and find out).
E.g. a web server HS will typically consist of:
1) a web server listening on 127.0.0.1 only, on a random port of your choice, for example 8080
2) Tor configured in client mode (i.e. not even a relay, and certainly not exit)
3) couple of lines in torrc.
https://www.torproject.org/docs/tor-hidden-service.html.en
From outside there is no weird network activity of any sort from/to your VPS, what the world sees is just another end-user machine connected to the Tor network.
There is no reason whatsoever for providers to forbid the set-up described above, that's why you find nothing about it in TOS/AUP.
(but of course it's still a VPS, so the provider can dig in and find out).
E.g. a web server HS will typically consist of:
1) a web server listening on 127.0.0.1 only, on a random port of your choice, for example 8080
2) Tor configured in client mode (i.e. not even a relay, and certainly not exit)
3) couple of lines in torrc.
https://www.torproject.org/docs/tor-hidden-service.html.en
From outside there is no weird network activity of any sort from/to your VPS, what the world sees is just another end-user machine connected to the Tor network.
There is no reason whatsoever for providers to forbid the set-up described above, that's why you find nothing about it in TOS/AUP.
Last edited by a moderator:
Aldryic C'boas
The Pony
Considering how easy TOR has been to compromise lately, and the hosts taken down simply for (knowing and unknowingly) hosting .onion sites.. I'm surprised more providers don't have issue with allowing hidden sites. Aye, at the moment we only specifically prohibit exit nodes; but I've been putting some pressure on Fran to have the .onion sites prohibited as well.
What are you talking about? Hope you aren't referring to the Firefox exploit
And the DoD funds roughly 40% of the money TOR receives.
Last edited by a moderator:
nunim
VPS Junkie
Exploit - http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/
The government provides 60% of Tor's budget - 2012-TorProject-Annual-Report
Rob Graham, the CEO of penetration testing firm Errata Security, told Ars Technica that he ran a “hostile” exit node on Tor and found that 76 percent of the nearly 23,000 connections he tracked used a form of the 1024-bit Diffie-Hellman key.
http://rt.com/usa/tor-anonymity-easily-compromised-researcher-537/
A book I read on the Conflicker worm said the NSA would have no trouble decrypting a 4096-bit private key for controlling the botnet, so I wouldn't put 1024 with weak encyption past their super computers.
Last edited by a moderator:
Yeah let's pile up meaningless unrelated facts together, maybe it'll somehow make sense, and equally uneducated people even start clicking "thankies".
1) Exploit in Firefox, not Tor. Nothing to do with soundness of Tor itself.
2) Government grants are a part of the Tor's funding. And...? It's not developed behind closed doors and then you get a binary and that's it. Nope, the full source code is open, and with this being "the" most high-profile anonymization network and with people using it for serious stuff (and others trying to deanon them), do you honestly think any on-purpose backdoor would survive for long.
3) Users are careless and their various software (which they choose to use over Tor) uses outdated short keys. Again, zero relation to any characteristic of Tor itself.
1) Exploit in Firefox, not Tor. Nothing to do with soundness of Tor itself.
2) Government grants are a part of the Tor's funding. And...? It's not developed behind closed doors and then you get a binary and that's it. Nope, the full source code is open, and with this being "the" most high-profile anonymization network and with people using it for serious stuff (and others trying to deanon them), do you honestly think any on-purpose backdoor would survive for long.
3) Users are careless and their various software (which they choose to use over Tor) uses outdated short keys. Again, zero relation to any characteristic of Tor itself.
Aldryic C'boas
The Pony
There was an exploit in Solus, not in CVPS's nodes (supposedly)... but that didn't make the mass wipe any less effective. In this case, TOR was indeed vulnerable due to a tool used to access it. Just because that FF hole was the actual exploit didn't make a difference to the end result.
That's also only a single exploit - assuming there are no others would be rather foolhardy.
TOR wasn't vulnerable, only an old firefox version if you were using Windows. And I fail to see the point of your analogy.
It makes every difference, the hole was in a piece of software running on a specific OS, none of which is required to use TOR.
Example, Using any broswer on OSX/Linux and the exploit wouldn't have worked. So how is it a TOR exploit?
Last edited by a moderator:
drmike
100% Tier-1 Gogent
I conceptually like ToR. But the funders aren't exactly the pillars of humanity, freedom and privacy.
No one has mentioned the lacking number of exit nodes and those nodes potentially being rogue, monitored, etc. Especially where an organized entity controlled enough of those exit nodes. Still relative? I suspect it is. SSL on ends going to keep folks secure, umm yeah, expect that to be back doored at official issuers. Unofficial self generation, well if using open source, maybe secure. Commercial closed certs, compromised.
Something here, obviously older:
http://www.theregister.co.uk/2007/11/23/tor_abuse/
I like the dialogue on this topic, even if we don't all agree. All bound to learn something new.
No one has mentioned the lacking number of exit nodes and those nodes potentially being rogue, monitored, etc. Especially where an organized entity controlled enough of those exit nodes. Still relative? I suspect it is. SSL on ends going to keep folks secure, umm yeah, expect that to be back doored at official issuers. Unofficial self generation, well if using open source, maybe secure. Commercial closed certs, compromised.
Something here, obviously older:
http://www.theregister.co.uk/2007/11/23/tor_abuse/
I like the dialogue on this topic, even if we don't all agree. All bound to learn something new.
If you want to talk about TOR exploits, I'd look into correlation and Sybil attacks. I'm not to worried about javascript browser exploits aimed at Windows.
http://wwwcip.informatik.uni-erlangen.de/~spjsschl/i2p.pdf
I still have an issue with the DoD having their hand and who knows what else in TOR.
http://wwwcip.informatik.uni-erlangen.de/~spjsschl/i2p.pdf
I still have an issue with the DoD having their hand and who knows what else in TOR.
Last edited by a moderator:
Aldryic C'boas
The Pony
Point of the analogy is, regardless of the method of entry, services that were supposed to be 'hidden' and 'secure' were not. To simplify - if your apartment door is barred, but someone gets in through the window, your apartment was still compromised. I never said TOR was responsible for the hole - I said it was affected.
That statement alone should completely counteract any claim you can make to TOR's security. Related reading: www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security - specifically the following:
Yes, but saying it was the front doors (Tor) fault would be insane, when it was clearly due to negligence of the window security (firefox/windows). Give credit where credit is due, and don't pass false blame, it usually leads to FUD and avoiding the real issues.
The issue isn't with TOR, but with people not understanding that Tor is meant for anonymity, security is still the respobility of the user. Tor is one tool that should be used in conjunction with other methods. Ditching Windows, and disabling Javascript, etc.
drmike
100% Tier-1 Gogent
That's security through obscurity basically. It is far more commonplace than even the crypto experts know. Follow the underwriting dollars through the standards orgs and universities. It's all over the place.
Aldryic C'boas
The Pony
Not sure how much simpler I can make it for you. Best suggestion I have is to read what people post more carefully rather than make assumptions of what they mean.
wlanboy
Content Contributer
Let's talk about how TOR is working.
Even if a single entity controls both the entry as well as the exit node for any given connection through the Tor network it doesn't matter.
There are bad guys running Tor nodes, some have been discovered in the past but noone can fully monitor all Tor connections all the time.
Everyone speaking about TOR security flaws is talking about timing attacks from a globally aware scanner. You don't need to compromise exit nodes to do this, and thus it's not a problem with allowing anybody to run nodes.
If I visit a site, while someone owns the entry node and the exit node. The second communication (entry -> relay) is encrypted to the 2nd node's key. How does the entry node know the destination (what exit node is used)?
It doesn't.
If big brother owns entry and exit, it knows someone visited a site by using the timing information, well out of the fact that TOR is a low-latency mixnet. Getting information is possible if you can view the entire internet anyway.
The chance that at least some Tor connections are compromised due to something other than simple software exploits is rather unlikely, but it can happen.
The fact that each single connection is compromised at any given moment is virtually impossible,
So back to the security theorem.
All our security, take GnuPG, ssh keys, SSL, ... is based on carefully selected functions where we do believe it is to complicated to build the inverse function. So cryptology is something like a religion where everyone believes that it is too expensive to guess the right key.
It is all about timing. In X years every laptop can crack up Y bit SHA2 keys.
Back to TOR:
TOR is save if a lot of people are using it. Out of two factors:
1. More nodes reduce the risk to go a bugged route through the TOR net
2. More nodes allow more bandwith and a higher number of routes (relay nodes)
3. More users generate more shadow traffic
Both sound nice, but it is all about making it more complicated.
Back to TOR hidden services:
Because hidden services do not need exit nodes it is even more complicated to trace them. Because you have to control the randomly choosen relay node (which is then the "exit" node) that is contacting the hidden service. It is all within TOR.
Best way to make TOR traceable: Fear.
Even if a single entity controls both the entry as well as the exit node for any given connection through the Tor network it doesn't matter.
There are bad guys running Tor nodes, some have been discovered in the past but noone can fully monitor all Tor connections all the time.
Everyone speaking about TOR security flaws is talking about timing attacks from a globally aware scanner. You don't need to compromise exit nodes to do this, and thus it's not a problem with allowing anybody to run nodes.
If I visit a site, while someone owns the entry node and the exit node. The second communication (entry -> relay) is encrypted to the 2nd node's key. How does the entry node know the destination (what exit node is used)?
It doesn't.
If big brother owns entry and exit, it knows someone visited a site by using the timing information, well out of the fact that TOR is a low-latency mixnet. Getting information is possible if you can view the entire internet anyway.
The chance that at least some Tor connections are compromised due to something other than simple software exploits is rather unlikely, but it can happen.
The fact that each single connection is compromised at any given moment is virtually impossible,
So back to the security theorem.
All our security, take GnuPG, ssh keys, SSL, ... is based on carefully selected functions where we do believe it is to complicated to build the inverse function. So cryptology is something like a religion where everyone believes that it is too expensive to guess the right key.
It is all about timing. In X years every laptop can crack up Y bit SHA2 keys.
Back to TOR:
TOR is save if a lot of people are using it. Out of two factors:
1. More nodes reduce the risk to go a bugged route through the TOR net
2. More nodes allow more bandwith and a higher number of routes (relay nodes)
3. More users generate more shadow traffic
Both sound nice, but it is all about making it more complicated.
Back to TOR hidden services:
Because hidden services do not need exit nodes it is even more complicated to trace them. Because you have to control the randomly choosen relay node (which is then the "exit" node) that is contacting the hidden service. It is all within TOR.
Best way to make TOR traceable: Fear.
KVChosting
New Member
Why do you need hidden service?
peterw
New Member
If you want to leak information but don't want to go to jail? Or if you live in a country where making jokes about the president or the leading party can kill you.