[tor-talk] New TOR Service Suggestions and Enhancements
Random Tor Node Operator
tor at unterderbruecke.de
Tue Nov 19 10:47:06 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 11/19/2013 06:50 AM, Mark McCarron wrote:
>> Date: Mon, 18 Nov 2013 21:11:40 +0100 From:
>> tor at unterderbruecke.de To: tor-talk at lists.torproject.org Subject:
>> Re: [tor-talk] New TOR Service Suggestions and Enhancements
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> On 11/18/2013 05:23 PM, Mark McCarron wrote:
>>> With all the recent crack downs on civil liberties, seizure of
>>> TOR services and general censorship that is now hitting even
>>> mainstream search engines, I would like to propose a set of new
>>> services and some enhancements to the network layer to improve
>>> anonymity. We need to get as much support as possible behind
>>> these services and improvements as they will assist in both
>>> the expansion and self-funding capability of TOR going
>>> The following services have been suggested and will require a
>>> fee, paid in Bitcoins, which will be donated to the TOR
>>> project. This is a security measure to prevent saturation of
>>> the services. These services should be integrated into the TOR
>>> software and run in a distributed fashion.
>>> 1. Distributed Web Hosting
>>> Currently, anyone hosting a hidden service must provide their
>>> own hosting solution and use software to provide access to the
>>> TOR network. This strategy has seen increasing number of
>>> services taken down in raids by various governments. We require
>>> a distributed hosting solution that provides a web server and
>>> database to anyone. The requirements for the service are as
>>> a. Payment gateway that accepts Bitcoins and either generates
>>> a new site, or renews a previously generated private key. This
>>> gateway should retain no knowledge of any transaction, or the
>>> ability to revoke a site once generated. Sites should
>>> automatically expire after a given date, unless the private key
>>> is renewed. Private key renewals should not require the private
>>> key to leave the client-side.
>>> b. Sites can be hosted at any node in an encrypted server with
>>> redundancy options (whack-a-mole) and automatic replication
>>> between nodes. No node should be able to inspect what it hosts
>>> in any fashion. A premium can be paid to increase replication
>>> c. Should provide a set minimum of traffic capacity, a
>>> premium can be paid to increase that capacity or link sites to
>>> build a larger service (i.e. multiple front-ends, database
>>> clusters). A Bitcoin pool should be created that providers of
>>> this service can be paid from to compensated for the increased
>> While I strongly agree that a distributed HS system would be
>> very desirable, I find the idea to make it dependent on any kind
>> of payment very appalling.
>> Especially your point 1c, which is exactly what many ISPs try to
>> force upon their customers nowadays. Be on the slow lane or pay a
>> premium. And what if a critical mass of users is already on the
>> fast lane? Thanks, but no thanks. Best effort should remain the
>> way to go.
>> What you call the gateway would also be a single point of
>> failure. Unless that gateway was decentralized, too, some TLA
>> could simply decide to seize it because one of the countless
>> Hidden Services was doing something bad. Consequently, all other
>> HS would fade out when their keys expire.
> In an ideal world, there would be no payment system. In the world
> as it is today, we must deal with both abuse of a system and the
> realities of the costs of operating a system. In respect to the
> latter, we cannot live in some hippy freeloader universe.
Can you specify what kind of abuse you are expecting to prevent by
introducing a payment system?
Don't even think about letting the Tor project have the power to disable
a given HS. It would make them subject to legal liabilities and
harassment at its finest. IANAL, but in principle, the Tor project
would then be responsible for any and all HS and anything and
everything people might do with it. That would, likely literally, be
fatal for Tor.
You seem to view payments as a viable way to prevent abuse. Have a look
at the "Real World", where nearly everything is subject to fees. No
abuse anywhere, right? It just does not work. Requiring payments *is* an
entry barrier, but it does *not* filter out the bad guys, only the poor
Also, the fact that everyone can trivially set up a HS without requiring
anyone else's permission or going through any kind of potentially
de-anonymizing process like a payment, is of the absolute key aspects of
It is a very democratic, maybe even slightly anarchistic approach,
without any gatekeepers.
Doing away with that in an anxious attempt to reduce unspecified cases
of abuse would be a terrible idea in my opinion.
And I can only speak for myself here, but I would surely NOT run one
single Tor relay if I knew that people using it were somehow required
to make any kinds of payments for their use. I am only willing to do
so because Tor is a "hippy freeloader universe" and I gladly support that.
> In regards to 1c, you felt it was a type of net neutrality. No,
> that is wrong. Think of it more like the difference between shared
> and dedicated hosting.
> The payment gateway would also be distributed.
Different wording, same meaning.
That approach is based on discriminatory treatment as a function of
coughing up money.
As far as I can tell, that goes pretty much against the goals Tor is
aiming to achieve.
If you are worried about the operating costs of node operators, have a
look at this discussion: .
Notice that even if it were trivially possible to reimburse node
operators according to some distribution scheme, you must take into
account the implications of that.
When you suddenly introduce a financial incentive in running Tor
nodes, the relative amount of idealism is likely to drop, because you
attract people for financial reasons.
>>> 2. Distributed File Hosting
>>> Follows the same structure as web hosting, but provides an FTP
>>> service. Should integrate into the web hosting layer
>>> 3. Distributed Virtual Machine Hosting
>>> Follows the same structure as web hosting, but provides a
>>> complete virtual OpenBSD/Linux platform. A Bitcoin pool should
>>> be created that providers of this service can be paid from to
>>> compensated for the increased processing.
>> This kind of approach would be needed to go beyond a "simple"
>> distributed storage for static files. How else would you host a
>> HS which runs any kind of interactive content...
> The file hosting discussed on deals with ftp-like services. If a
> need is shows for other types of file hosting, it can be added, but
> we should focus on core services first.
Go ahead and write a paper about how to implement a distributed static
file hosting scheme to be integrated into Tor.
- - Node operators define a certain, arbitrary amount of disk space they
are willing to share for the service
- - Files must distribute automatically among nodes, given some minimum
redundancy (Maybe 3? Maybe the actual redundancy should automatically
scale up if there is "enough" space available on the network?)
- - Node operators (or anyone else, for that matter) must *never* be
able to tell what files are currently (being) stored on their nodes.
Obviously, everything needs to be entirely encrypted, so not even
filenames or filesizes can be seen on any node.
- - For scalability, there should at least be an expiry date and/or a
way for the uploader to delete files afterwards, so the storage
requirements don't run off beyond all bounds over time.
And that is only the "easy" task with static files.
Try to come up with a viable system for distributed virtual machines!
>>> 4. Distributed Web Indexer
>>> Uncensored search of the entire internet. Speed is
>>> unimportant, as is the frequency of updates. The primary goal
>>> is to make it uncensored.
>> Have you had a look at YaCy ?
> Not until you mention it. This solution looks viable and should be
> re-written and absorbed into the default install of TOR.
Why exactly should it be rewritten?
Feel free to come up with ways to integrate it into Tor... without the
need for a rewrite.
>>> 5. Distributed Email and Instant Messaging
>>> Accounts can be purchased for Bitcoins, completely
>>> decentralized. Speed of delivery is unimportant and should be a
>>> best effort system. The inclusion of a "global broadcast" for a
>>> premium is recommended. This latter services allows for
>>> important announcements to be flashed across the world. The
>>> premium should be set very high to prevent abuse.
>> Why do you want to sell anything and everything? The nice thing
>> about Tor is that you can set up your own HS *without* the need
>> for a central authority and *without* the need to pay anything.
>> For decentralized instant messaging (without the need to pay, I
>> might add), have a look at TorChat 
> Its not about selling, its is about preventing the abuse of
> resources and ensuring anything that requires servers can scale
> with the user base rather than being contested.
> TORChat solves the instant messaging issue and should be bundled.
> Now we need a distributed email system.
Good luck with that.
In principle, you need the same requirements as for a distributed
storage of static files, plus some more, because only the recipient
must be able to read and delete their emails.
Also, perfect forward secrecy  might be desirable for emails.
Something that is not available for example with GPG.
Maybe you should also have a look at Bitmessage .
>>> 6. Distributed News Service
>>> Pay a premium and post your story. This will ensure only
>>> important news hits this newswire.
>> Yes, because those with most money and willingness to pay are
>> those with the most important news for everybody.
> It would be a token amount, its just to prevent spam mainly.
There are better concepts than money against spam .
>>> 7. Distributed Start Page and TOR Index
>>> TOR needs an entry point, somewhere that provides access to all
>>> services and can guide users through the system. Many sites
>>> have tried to serve this function, none have survived.
>> Do you realize that one of the points of a *Hidden* Service might
>> be that it does *not* show up in a publicly available list of
>> Feel free to create a HS for users new to Tor, which exemplarily
>> introduces the users to some Hidden Services cherry-picked by
> I understand that, I'm thinking of an automated directory similar
> to TORDir where you manually add services and ones that fail a
> given number of checks get pruned from the system.
> Creating a hidden service to act as a start page, or gateway, for
> users has been tried time-and-time again. Look at core.onion, gone
> in a flash. We require something more robust.
Can you explain why exactly we require that? There is no global index
of the "normal internet" either, at least none that is intended to be
used by humans.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the tor-talk