[tor-dev] Proposal: End-to-end encrypted onion services for non-Tor clients
donncha at donncha.is
Mon Sep 14 16:12:23 UTC 2015
I have been thinking about ideas to make Tor hidden services more available and
secure for non-Tor users. Inline I've included a draft proposal which describes an end-to-end
encrypted Tor2Web-like system.
I'm really interested in hearing any suggestions, comments or criticism about this
proposal. In particular I'd like to know if the trust requirements for the entry proxies
and resolvers seem reasonable? Does this proposal make sense and is it something worth implementing?
Thank you to David Stainton and Leif Ryge for your feedback on this proposal.
Title: End-to-end encrypted onion services for non-Tor clients
Author: Donncha Ó Cearbhaill
This proposal describes a system to allow non-Tor users to securely access
location-hidden services via a domain name chosen by the hidden service
Tor hidden services have typically been used to provide anonymity to both
services and clients. There are however use cases where a publisher or
content provider requires anonymity but their users do not. The publishers
typically would like their content to be available securely and to the
widest possible audience.
Tor2Web currently allows non-Tor users to access hidden services but it has
a number of limitations. Tor2Web deployments are limited due to requirement
to entrust Tor2Web service providers with users location information and the
content of their requests.
The onion subdomain based addressing in Tor2Web poses a usability issue and
can be unwieldy for users without providing any self-authenticating
properties. Tor2Web can be configured with a custom domain for an individual
hidden service but this requires manual configuration and additional
Ideally non-Tor users should be able to access location-hidden services
under a standard domain name with end-to-end encryption from the client's
browser to the hidden service web server. The system should be decentralized
and it should not require the hidden service operator to run any clearnet
At a high level this proposal specifies a system of TCP entry proxies which
transparently proxy the TLS connections of non-Tor clients to a hidden
service. A client who requests a domain name such as https://myblog.com
should get connected to a hidden service endpoint which has a valid SSL
certificate for myblog.com.
3.1. Hidden Service configuration
A hidden service operator obtains a public domain name and a corresponding
CA signed SSL certificate. The operator configures the hidden service web
server with the SSL certificate for the external domain.
The domain name is pointed at an authoritative nameserver provider. The
operator should also set a TXT DNS record containing the onion address of
their hidden service.
3.2. Entry Proxy
Modern web browsers send a Server Name Indication (SNI) field in the initial
ClientHello of the TLS handshake. The entry proxy reads this field to
determine the clients destination domain. The proxy performs a DNS lookup at
that domain for a TXT record which specifies the corresponding onion address
for the provided domain.
The TLS entry proxy connects to the onion service via a Tor2Web-type circuit
and then begins transparently proxying TLS traffic between the clients
browser and the destination onion service.
3.3. Resolving Nameserver
The key component of this system is a DNS name server which can direct
clients to an online entry proxy via a round-robin type system. In a basic
solution the onion service operator could manually specify one or more entry
proxies in the A records for their domain on their existing authoritative
In practice entry proxy churn would result in changing set of entry proxies.
The nameserver will need regularly update its set of online entry proxies an
remove proxies which are malfunctioning, malicious or otherwise unusable.
The resolver may run a scanner to check its known proxies or load a list
from an external service. Additionally the resolver should detect if an
entry proxy blacklists a domain for which it is responsible and avoid
routing clients to that entry proxy.
It is expected that independent service providers will run their own
domain->onion resolving nameserver in diverse jurisdictions as free or paid
The entry proxy component could be implemented as part of the current Tor
relay code base. Integration directly within Tor would allow use of the
existing network consensus and bandwidth measurement systems to be used to
discover available entry proxies. It would also allow for malicious entry
proxies to be blacklisted.
Alternatively the entry proxy could be implemented in the existing Tor2Web
software or as a standalone software package. Implementing outside of Tor
would be faster and it would avoid the risk of losing Tor relay capacity as
a result of legal threats to the entry proxies.
The resolving nameserver is the most complicated component of this system.
The component will eventually require a DNS server, a management interface,
and a set of network monitoring tools.
5. Security and resiliency implications:
5.1. Availability Attacks:
Adversaries can attack the availability of a publicly-proxied hidden
service at a number of levels:
* Censorship or shutdown of entry proxy:
Attacks on individual entry proxies are mitigated by performing DNS
based round-robin between many online entry proxies. The Resolver system
should be able to quickly remove entry proxies which misbehave or which
* Censorship or seizure of the hidden service public domain:
DNS based blocks are widely deployed for censorship and may be difficult
to avoid. Domain registrars can also be forced to suspend domain names.
Service operators should considering running their service under a TLD
which is less vulnerable to these type of coercive threats.
* Takedown of a nameserver provider:
Multiple resolving nameservers can be configure for each forwarded
domain. Using nameservers maintained by different providers can provide
resilience to attacks against a single nameserver provider.
5.2. Security Attacks:
Entry proxies and exit relays have a similar ability to monitor and
interfere with client traffic. This is greater risk of targeted
interference from entry proxies as they can also determine the client's
* Man-in-the-middle HTTP connections:
Entry proxies have the ability to man-in-the-middle HTTP connections.
Service operators should send HSTS header to force clients to
automatically use TLS for all future connections.
* TLS man-in-the-middle with CA-signed certificate
Some commercial CA cert providers allow for domain ownership to be
validated by providing a file over HTTP at the domain. A malicious entry
proxy could successfully obtain a CA-signed certificate from one of
these certificate authorities.
Service operators can minimize their exposure to this type of attack by
using HPKP headers to limit the set of valid certificate authorities for
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 630 bytes
Desc: OpenPGP digital signature
More information about the tor-dev