[tor-dev] Configuring Single Onion Services

Tim Wilson-Brown - teor teor2345 at gmail.com
Fri Apr 8 00:15:19 UTC 2016

Hi All,

I'm working on proposal 260's Rendezvous Single Onion Services in #17178.

They are faster, because they have one hop between the service and the introduction and rendezvous points.
But this means that their location is easy to discover (non-anonymous).
So we want to come up with a design that makes it hard to configure a non-anonymous service by accident.

Here's a cut-down version of an email I sent to tor-onions for feedback, for those who are on both lists:

Nick's concern was that users could configure Single Onion Services without realising that it provides no server location anonymity.
I initially thought we could change the torrc option name to make this clear. ...
I now believe that trying to overload the name of a feature with warnings about its downsides was a mistake. …

This would mean that Single Onion Service operators would include in their torrc:

SingleOnionMode 1
HiddenServiceDir …

As a separate issue, I think there are two alternative designs that can prevent users from configuring the feature and then exposing their location unintentionally:

Tor2WebMode requires users to add a compilation option: --enable-tor2web-mode
We could do this with Single Onion Services as well: --enable-single-onion-mode
If SingleOnionMode is configured without the compilation option, tor warns the user and refuses to start.
When it is configured, tor warns the user they're non-anonymous, then starts.
However, using a compilation option makes the feature harder to test.
And Tor2Web operators already don't like having to compile separate binaries.
It's likely Single Onion operators would feel similarly.

Alternately, we could add a torrc option: NonAnonymousMode
If SingleOnionMode is configured without NonAnonymousMode, tor warns the user and refuses to start.
When it is configured, tor warns the user they're non-anonymous, then starts.

I spoke with Nick on IRC and he's happy with either of these options.

I'd like to proceed with the NonAnonymousMode torrc option, unless there are compelling reasons against that design.
I hope that this will allow us to get SingleOnionMode merged early in tor 0.2.9.


Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160408/356edf7d/attachment.sig>

More information about the tor-dev mailing list