Does anyone want to vouch for view (A) ? Note that view (A) is currently enshrined in the ethics guidelines. The following are currently in conflict with (A):<span></span><div><br><div>* the largest tor2web nodes</div><div>* MEMEX and other government programs</div><div>* beloved metrics applications like OnionStats</div><div><br></div><div>-V<br><div><div><br>On Tuesday, 19 July 2016, Nurmi, Juha <<a href="mailto:juha.nurmi@ahmia.fi">juha.nurmi@ahmia.fi</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Hi,</div><div><br></div><div>Virgil pointed out several good points with onion search engines.</div><div><br></div><div>1) Anonymous vs. hidden</div><div><br></div><div>>>> Whereas some would say Tor users are "anonymous", others would instead say any and everything Tor is "private". I believe this needs to be clarified.</div><div><br></div><div>I am publishing a paper about my onion service experiment: I deployed 100 onion servers and followed TCP traffic to these services. As a result, they got accessed by multiple different scanners (curl, wget, browser, scrapers, ssh). This means that some people do HSDir harvesting and scan onions.</div><div><br></div><div>2) Search engines can efficiently map content</div><div><br></div><div>>>> For what it's worth, <a href="http://ahmia.fi" target="_blank">ahmia.fi</a> actually supports regex searching right out of the box. In fact, a single line of JSON spits out all known bitcoin addresses ahmia knows about.</div><div><br></div><div>At the moment I have no public documentation how to use regex search but Ahmia supports this feature. Is this good or not? I know that Google has disabled these kind of features because privacy issues.</div><div><br></div><div>3) Is a web-site a public place?</div><div><br></div><div>>>> Here's how I currently see this. I put on my amateur legal hat and say, "Well, the Internet/world-wide-web is considered a public space. Onion-sites are like the web, but with masked speakers."</div><div><br></div><div>Good point! I think you are right.</div><div><br></div><div>Best,</div><div>Juha</div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 7, 2016 at 9:28 AM, Virgil Griffith <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','i@virgil.gr');" target="_blank">i@virgil.gr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span><div>> you might want to remove the client IP address (X-Forwarded-For) from HTTP headers </div><div><br></div></span><div>Agreed! And yes we already remove x-forwarded-for.</div><div><a href="https://github.com/globaleaks/Tor2web/blob/master/tor2web/t2w.py#L701" target="_blank">https://github.com/globaleaks/Tor2web/blob/master/tor2web/t2w.py#L701</a></div><div><br></div><div>I recall that the very, very beginning we had a python proxy library automatically adding x-forwarded-for, but once we realized it was doing that we corrected it. FWIW, it was actually Aaron who wrote that code ;)</div><div><br></div><div>AFAIK Tor2web hasn't leaked any privacy-invading headers for sometime. If ones are discovered they would be fixed ASAP.</div><span><div><br></div><div><br></div><div>> Is the opt-out permanent, or does your server re-check every time it connects?</div><div>> I can imagine there being issues with either model - one involves storing a list, the other, regular connections.</div><div><br></div></span><div>I don't know. This is Google/Bing's department. Do we have someone on list familiar enough with either? If I were to guess the Googley/Bingy-way of doing this, I'd imagine them storing the list, and then when crawling the site again they'd do a HEAD request to see if the /robots.txt has changed. And if the /robots.txt has changed, to overwrite their stored list.</div><span><div><br></div><div><br></div><div>> I am disappointed that we have a Tor2web design where Tor2web needs to connect to a hidden service first, then check if it has given permission for Tor2web to connect to it.</div><div><br></div></span><div>/robots.txt isn't a permission to "connect to", it's a permission to crawl/index. I'm aware of no standard within or outside of Tor to say whether node A has permission to connect to node B. If such a standard or even unofficial exists I'm down for spending some weekends implementing it.</div><span><div><br></div><div>> I am also disappointed that this only works for HTTP onions on the default port 80.</div><div><br></div></span><div>I agree completely. But if the issue is operator privacy, isn't it even *better* that tor2web only works for port 80? As an aside, there is tor2tcp at: <a href="https://cryptoparty.at/tor2tcp" target="_blank">https://cryptoparty.at/tor2tcp</a></div><span><div><br></div><div><br></div><div>> I am also concerned about threat models where a single unwanted connection, or a number of unwanted connections, are security factors.</div><div>> For example:</div><div>> Imagine there is an (unknown) attack which can determine 1 bit of the 1024-bit RSA key per hidden service connection.</div><div>> (Some known attacks on broken crypto systems are like this, as are some side-channels.)</div><div>> Or imagine there is an attack which can determine 1 bit of the IPv4 address per connection.</div></span><span><div>> Is there an alternative to position (A) that supports threat models like this?<br></div><div><br></div></span><div>I don't have a good solution to this. As stated above, I'm aware of no protocol for saying "Please don't connect to me." The security person in me is a little skeptical how useful it would be---if someone wanted to make many connections to learn a private key, I presume she won't be obeying said requests. However, if someone doesn't want to be connected to, upon such a standard existing I would happily abide by it.</div><span><div><br></div><div>> there is also the possibility of exerting social pressure to prevent people from running servers that continually connect to tor hidden services.</div><div><br></div></span><div>The closest things I know of for social pressure are:</div><div><br></div><div>(1) Liberal caching headers in the HTTP response:</div><div><br></div><div>```</div><div>max-age=604800<span style="white-space:pre-wrap"> </span> #can be cached by browser and any intermediary caches for up to 1 week</div><div>```</div><div><br></div><div>(2) In /robots.txt putting long crawl-delays:</div><div><br></div><div>```</div><div>User-Agent: *</div><div>Crawl-delay: 86400 #wait 1 day between each fetch.</div><div>```</div><span><div><br></div><div>> I believe that a technical solution to this threat model is hidden service client authentication (and the next-generation hidden service protocol, when available).</div><div><br></div></span><div>Agreed.</div><span><font color="#888888"><div><br></div><div>-V</div></font></span></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Thu, Jul 7, 2016 at 1:44 PM, Tim Wilson-Brown - teor <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','teor2345@gmail.com');" target="_blank">teor2345@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><span><br>
> On 7 Jul 2016, at 15:24, Virgil Griffith <<a href="javascript:_e(%7B%7D,'cvml','i@virgil.gr');" target="_blank">i@virgil.gr</a>> wrote:<br>
><br>
> > How do you make sure that Tor2web users are anonymised (as possible) when accessing hidden services?<br>
><br>
> I make a good faith effort not to wantonly reveal personally identifying information. But in short, it's hard. I urge people to think of tor2web nodes as closer to Twitter where they record what links you click. I wholly support having the "where is Tor2web in regards to user privacy" discussion (hopefully could even make some improvements to it!), but it is orthogonal to the "robots.txt on .onion" discussion. Let's address the robots.txt issue and then we can return to Tor2web user-privacy.<br>
<br>
</span>Well, as a separate issue, you might want to remove the client IP address (X-Forwarded-For) from HTTP headers your caching proxies send to hidden services. And work out if any of the other headers are sensitive.<br>
<span><br>
> On 7 Jul 2016, at 14:40, Virgil Griffith <<a href="javascript:_e(%7B%7D,'cvml','i@virgil.gr');" target="_blank">i@virgil.gr</a>> wrote:<br>
><br>
</span><span>> So now we have *three* different positions among respected members of the Tor community.<br>
><br>
> (A) isis et al: robots.txt is insufficient<br>
> --- "Consent is not the absence of saying 'no' — it is explicitly saying 'yes'."<br>
><br>
> (B) onionlink/ahmia/notevil/grams: we respect robots.txt<br>
> --- "Default is yes, but you can always opt-out."<br>
<br>
</span>Is the opt-out permanent, or does your server re-check every time it connects?<br>
I can imagine there being issues with either model - one involves storing a list, the other, regular connections.<br>
<span><br>
> (C) onionstats/memex: we ignore robots.txt<br>
> --- "Don't care even if you opt-out." (see <a href="https://onionscan.org/reports/may2016.html" rel="noreferrer" target="_blank">https://onionscan.org/reports/may2016.html</a>)<br>
><br>
><br>
> Isis did a good job arguing for (A) by claiming that representing (B) and (C) are "blatant and disgusting workaround[s] to the trust and expectations which onion service operators place in the network." <a href="https://lists.torproject.org/pipermail/tor-project/2016-May/000356.html" rel="noreferrer" target="_blank">https://lists.torproject.org/pipermail/tor-project/2016-May/000356.html</a><br>
><br>
> This is me arguing for (B): <a href="https://lists.torproject.org/pipermail/tor-project/2016-May/000411.html" rel="noreferrer" target="_blank">https://lists.torproject.org/pipermail/tor-project/2016-May/000411.html</a><br>
><br>
> I have no link arguing for (C).<br>
<br>
</span>I am disappointed that we have a Tor2web design where Tor2web needs to connect to a hidden service first, then check if it has given permission for Tor2web to connect to it. I am also disappointed that this only works for HTTP onions on the default port 80.<br>
<br>
I would like to see a much better design for this.<br>
<br>
I am also concerned about threat models where a single unwanted connection, or a number of unwanted connections, are security factors.<br>
For example:<br>
Imagine there is an (unknown) attack which can determine 1 bit of the 1024-bit RSA key per hidden service connection.<br>
(Some known attacks on broken crypto systems are like this, as are some side-channels.)<br>
Or imagine there is an attack which can determine 1 bit of the IPv4 address per connection.<br>
<br>
For security, a hidden service operator decides to only allow 10 connections before rolling over their hidden service to a new key and server.<br>
<br>
There are at least 10 connections to known .onion addresses every week, because there are at least 10 Tor2web or memex or onionstats instances on the web.<br>
Therefore, every week, the operator must roll over their hidden service, and arrange to notify users of the new address in a secure fashion. Alternately, they must keep the address secret, even from the HSDir hash ring, which is not possible.<br>
<br>
Is there an alternative to position (A) that supports threat models like this?<br>
<br>
I believe that a technical solution to this threat model is hidden service client authentication (and the next-generation hidden service protocol, when available).<br>
However, there is also the possibility of exerting social pressure to prevent people from running servers that continually connect to tor hidden services.<br>
<div><div><br>
Tim<br>
<br>
Tim Wilson-Brown (teor)<br>
<br>
teor2345 at gmail dot com<br>
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B<br>
ricochet:ekmygaiu4rzgsk6n<br>
<br>
<br>
<br>
<br>
<br>
Tim<br>
<br>
Tim Wilson-Brown (teor)<br>
<br>
teor2345 at gmail dot com<br>
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B<br>
ricochet:ekmygaiu4rzgsk6n<br>
<br>
<br>
<br>
<br>
</div></div><br></div></div><span>_______________________________________________<br>
tor-project mailing list<br>
<a href="javascript:_e(%7B%7D,'cvml','tor-project@lists.torproject.org');" target="_blank">tor-project@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project" rel="noreferrer" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project</a><br>
<br></span></blockquote></div><br></div>
<br>_______________________________________________<br>
tor-project mailing list<br>
<a href="javascript:_e(%7B%7D,'cvml','tor-project@lists.torproject.org');" target="_blank">tor-project@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project" rel="noreferrer" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project</a><br>
<br></blockquote></div><br></div>
</blockquote></div></div></div></div>