amuck-landowner

Which vps hoster allows tor hidden services?

peterw

New Member
I read some AUP and TOS and I did not find any section about tor hidden services. Is this a good or a bad sign?

What do providers think about tor hidden services?
 

HalfEatenPie

The Irrational One
Retired Staff
Most providers don't have any issues with entry relays and transit relays.  It's the exit relays that many people do not allow and it's the exit relays that contains the biggest risk.  

Some providers would prefer to stay away from that headache all-together and therefore could ban the use of TOR in general.  

Personally, I find it's applicability and it's reasoning, but I feel that it's abused way too much that I'd prefer not to support it.  But hey awesome for those who do!  
 

terafire

New Member
Verified Provider
As long as it's not an exit node, I' m okay with it. As Half Eaten Pie was saying, this is pretty much standard for most hosts. Although it does bring on a whole new set of possible abuse that would normally not be there.

Some providers will allow TOR, but not IRC, go figure.
 

rm_

New Member
No one outside of your VPS knows it's hosting a hidden service.

(but of course it's still a VPS, so the provider can dig in and find out).

E.g. a web server HS will typically consist of:

1) a web server listening on 127.0.0.1 only, on a random port of your choice, for example 8080

2) Tor configured in client mode (i.e. not even a relay, and certainly not exit)

3) couple of lines in torrc.

https://www.torproject.org/docs/tor-hidden-service.html.en
 

From outside there is no weird network activity of any sort from/to your VPS, what the world sees is just another end-user machine connected to the Tor network.

There is no reason whatsoever for providers to forbid the set-up described above, that's why you find nothing about it in TOS/AUP.
 
Last edited by a moderator:

Aldryic C'boas

The Pony
Considering how easy TOR has been to compromise lately, and the hosts taken down simply for (knowing and unknowingly) hosting .onion sites.. I'm surprised more providers don't have issue with allowing hidden sites.  Aye, at the moment we only specifically prohibit exit nodes;  but I've been putting some pressure on Fran to have the .onion sites prohibited as well.
 

nunim

VPS Junkie
http://rt.com/usa/tor-anonymity-easily-compromised-researcher-537/

What are you talking about?

And the DoD funds roughly 40% of the money TOR receives.
Exploit - http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/

The government provides 60% of Tor's budget - 2012-TorProject-Annual-Report


Rob Graham, the CEO of penetration testing firm Errata Security, told Ars Technica that he ran a “hostile” exit node on Tor and found that 76 percent of the nearly 23,000 connections he tracked used a form of the 1024-bit Diffie-Hellman key.
http://rt.com/usa/tor-anonymity-easily-compromised-researcher-537/

A book I read on the Conflicker worm said the NSA would have no trouble decrypting a 4096-bit private key for controlling the botnet, so I wouldn't put 1024 with weak encyption past their super computers.
 
Last edited by a moderator:

rm_

New Member
Yeah let's pile up meaningless unrelated facts together, maybe it'll somehow make sense, and equally uneducated people even start clicking "thankies".

1) Exploit in Firefox, not Tor. Nothing to do with soundness of Tor itself.

2) Government grants are a part of the Tor's funding. And...? It's not developed behind closed doors and then you get a binary and that's it. Nope, the full source code is open, and with this being "the" most high-profile anonymization network and with people using it for serious stuff (and others trying to deanon them), do you honestly think any on-purpose backdoor would survive for long.

3) Users are careless and their various software (which they choose to use over Tor) uses outdated short keys. Again, zero relation to any characteristic of Tor itself.
 

Aldryic C'boas

The Pony
1) Exploit in Firefox, not Tor. Nothing to do with soundness of Tor itself.
There was an exploit in Solus, not in CVPS's nodes (supposedly)... but that didn't make the mass wipe any less effective.  In this case, TOR was indeed vulnerable due to a tool used to access it.  Just because that FF hole was the actual exploit didn't make a difference to the end result.

That's also only a single exploit - assuming there are no others would be rather foolhardy.
 

Cloudrck

Member
Verified Provider
There was an exploit in Solus, not in CVPS's nodes (supposedly)... but that didn't make the mass wipe any less effective.  In this case, TOR was indeed vulnerable due to a tool used to access it.  Just because that FF hole was the actual exploit didn't make a difference to the end result.

That's also only a single exploit - assuming there are no others would be rather foolhardy.
TOR wasn't vulnerable, only an old firefox version if you were using Windows. And I fail to see the point of your analogy.

It makes every difference, the hole was in a piece of software running on a specific OS, none of which is required to use TOR.

Example, Using any broswer on OSX/Linux and the exploit wouldn't have worked. So how is it a TOR exploit?
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
I conceptually like ToR.  But the funders aren't exactly the pillars of humanity, freedom and privacy.

No one has mentioned the lacking number of exit nodes and those nodes potentially being rogue, monitored, etc.  Especially where an organized entity controlled enough of those exit nodes.  Still relative? I suspect it is.  SSL on ends going to keep folks secure, umm yeah, expect that to be back doored at official issuers.  Unofficial self generation, well if using open source, maybe secure.  Commercial closed certs, compromised.

Something here, obviously older:

http://www.theregister.co.uk/2007/11/23/tor_abuse/

I like the dialogue on this topic, even if we don't all agree.  All bound to learn something new.
 

Aldryic C'boas

The Pony
And I fail to see the point of your analogy.
Point of the analogy is, regardless of the method of entry, services that were supposed to be 'hidden' and 'secure' were not.  To simplify - if your apartment door is barred, but someone gets in through the window, your apartment was still compromised.  I never said TOR was responsible for the hole - I said it was affected.

I still have an issue with the DoD having their hand and who knows what else in TOR.
That statement alone should completely counteract any claim you can make to TOR's security.  Related reading: www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security - specifically the following:

Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.

"Eventually, NSA became the sole editor," the document states.
 

Cloudrck

Member
Verified Provider
Point of the analogy is, regardless of the method of entry, services that were supposed to be 'hidden' and 'secure' were not.  To simplify - if your apartment door is barred, but someone gets in through the window, your apartment was still compromised.  I never said TOR was responsible for the hole - I said it was affected.

That statement alone should completely counteract any claim you can make to TOR's security.  Related reading: www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security - specifically the following:
Yes, but saying it was the front doors (Tor) fault would be insane, when it was clearly due to negligence of the window security (firefox/windows). Give credit where credit is due, and don't pass false blame, it usually leads to FUD and avoiding the real issues.


The issue isn't with TOR, but with people not understanding that Tor is meant for anonymity, security is still the respobility of the user. Tor is one tool that should be used in conjunction with other methods. Ditching Windows, and disabling Javascript, etc.
 
  • Like
Reactions: rm_

drmike

100% Tier-1 Gogent
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.



"Eventually, NSA became the sole editor," the document states.
That's security through obscurity basically.  It is far more commonplace than even the crypto experts know.  Follow the underwriting dollars through the standards orgs and universities.  It's all over the place.
 

wlanboy

Content Contributer
Let's talk about how TOR is working.

Even if a single entity controls both the entry as well as the exit node for any given connection through the Tor network it doesn't matter.

There are bad guys running Tor nodes, some have been discovered in the past but noone can fully monitor all Tor connections all the time.

Everyone speaking about TOR security flaws is talking about timing attacks from a globally aware scanner. You don't need to compromise exit nodes to do this, and thus it's not a problem with allowing anybody to run nodes.

If I visit a site, while someone owns the entry node and the exit node. The second communication (entry -> relay) is encrypted to the 2nd node's key. How does the entry node know the destination (what exit node is used)?

It doesn't.

If big brother owns entry and exit, it knows someone visited a site by using the timing information, well out of the fact that TOR is a low-latency mixnet. Getting information is possible if you can view the entire internet anyway.

The chance that at least some Tor connections are compromised due to something other than simple software exploits is rather unlikely, but it can happen.

The fact that each single connection is compromised at any given moment is virtually impossible,

So back to the security theorem.

All our security, take GnuPG, ssh keys, SSL, ... is based on carefully selected functions where we do believe it is to complicated to build the inverse function. So cryptology is something like a religion where everyone believes that it is too expensive to guess the right key.

It is all about timing. In X years every laptop can crack up Y bit SHA2 keys.

Back to TOR:

TOR is save if a lot of people are using it. Out of two factors:

1. More nodes reduce the risk to go a bugged route through the TOR net

2. More nodes allow more bandwith and a higher number of routes (relay nodes)

3. More users generate more shadow traffic

Both sound nice, but it is all about making it more complicated.

Back to TOR hidden services:

Because hidden services do not need exit nodes it is even more complicated to trace them. Because you have to control the randomly choosen relay node (which is then the "exit" node) that is contacting the hidden service. It is all within TOR.

Best way to make TOR traceable: Fear.
 
Top
amuck-landowner