On 29 Jan 2016, at 13:59, Wilton Gorske <wilton@riseup.net> wrote:


-------- Forwarded Message --------
Subject: [rt.torproject.org #63908] Onion Services & External Resources
Hosted On Them
Date: Fri, 29 Jan 02016 02:19:11 +0000
From: mk via RT <help@rt.torproject.org>
Reply-To: help@rt.torproject.org
To: wilton@riseup.net

I think you might want to try it on our new ML:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions.

On 02016-01-27 23:34:47, wilton@riseup.net wrote:
Hello Tor,

I have a question about Onion Services hosting external resources.

If there's a webserver hosted as an Onion Service, with an external
resource coded (for instance, a Flickr image on the home page), which
'node' in the rendezvous points system calls that resource? The client?
The hidden service? The rendezvous?

It's obviously clear how this works with an exit node on the clearnet,
but not so (to me) with Onion Services. I guess it's the hidden service,
but that means someone watching the network connection of the service
could see it calling the resources for a client every time it was
requested. Right?

This question is relevant to operating onion (hidden) service sites and user privacy.

The user's browser makes a request for each resource in the page to the tor client.
The tor client transparently directs requests to site "A.onion" through a rendezvous circuit to the "A" onion service.
It directs requests to site "B.onion" through a different rendezvous circuit to the "B" onion service.
Requests to non-onion sites are directed to an exit that allows that particular domain and port through yet another circuit.

So, onion services never see requests for any other onion service or internet site.
This is ensured cryptographically: an onion service signs a list of introduction points and keys.
Only clients using those keys at those introduction points can get a rendezvous circuit with the service.
(This enables OnionBalance, where an onion site signs introduction points belonging to replica onion services.)

In addition, each Tor Browser URL bar domain is isolated: Tor Browser isolates application-level resources like cookies, and the tor client isolates network-level resources like streams. (This prevents one site spying on what another site is requesting.) 

Nevertheless, every client accessing a mixed onion / non-onion page is exposed to all the threats from all the resources loaded by that page. There are also potential fingerprinting and correlation attacks. So, just like pure HTTPS, a pure onion site is best practice.

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F