[tor-talk] Neal Krawetz's abcission proposal, and Tor's reputation

Wed Aug 30 17:18:36 UTC 2017

On Wed, Aug 30, 2017 at 03:07:37PM +0100, Ben Tasker wrote:
> So his suggestion is portrayed as not sacrificing much, but actually
> sacrifices quite a lot.

This is a really important point. Thinking of onion space right now as
the sum total of all that it can be is cutting off all of the future
innovation.

My claim isn't "onion services are 3% of Tor traffic, so don't get
upset about anything you find on an onion service" -- my claim is "onion
services are still very early in terms of adoption, and as is usual for
many decentralized techologies the extra-early adopters are not great use
cases, and that means we need to help the space grow, and as it grows,
if we do it right, it will become more broad and thus more good".

One concrete example of an onion service that the proposed design would
cut off is Ricochet. Ricochet users want longterm-stable identifiers,
and they want the identifiers to be self-authenticating. And of course
making every Ricochet user register and maintain a domain, plus run a
webserver, is both silly and harmful.

This example also helps to illustrate why thinking of onion services as
only websites also artificially constrains their future. What if your
smart refridgerator registers an onion address when you first plug it
in, and it's only willing to receive secure updates via that channel,
meaning it has a hugely reduced surface area to attacks?

As Alec says, the list of "things that could benefit from having a safe
communication channel" is both enormous and open-ended. People like to
use phrases like "dark web" or "dark continent" to evoke mystery and
intrigue, but really, do you want to use the communications channel where
you know for sure that you're talking to the person you meant to talk
to, and you know that it's hard for somebody to eavesdrop on the content
or the metadata? Or do you want to use the communications channel where
you don't know who you're talking to, you don't know who is listening,
and you don't know whether somebody is modifying the traffic?

Calling onion services the "secure web" and everything else the "insecure
web" isn't very catchy, so maybe we should settle on calling everything
else (the places where you don't know who you're talking to or who's
listening) "dark". :)

For those following along who haven't watched our 32c3 onion services
talk, you might find it enlightening:
https://media.ccc.de/v/32c3-7322-tor_onion_services_more_useful_than_you_think
(The Defcon talk has a few more details about the next-generation onion
service design, but I'm told the video for it won't be up for another
couple of months.)

I think finding ways to tie onion addresses to normal ("insecure web")
domains, when a service has both, is really important too. I'd like to
live in a world where Let's Encrypt gives you an onion altname in your
https cert by default, and spins up a Tor client by default to let users
reach your webserver using whichever level of security they prefer.

And for those who made it this far down the mail, you might enjoy this
historical tor-talk mail too:
https://lists.torproject.org/pipermail/tor-talk/2015-April/037538.html
(see the paragraph towards the bottom that starts "I should also make
clear my opinion on some of the bad uses of Tor.")

--Roger