Hi, As promised I have set up a Tor Hidden service hosting RFC6761: http://wkqp7hcrpkxdgfat.onion/ I suggest that you download the Tor Browser Bundle for your operating system from: https ww torproject org/download/download-easy.html.en And then access whichever regular internet site you wish, just to see that it works (unless the site is hosted behind CloudFlare in which you need to train robots in identifying numbers before you can access the page). Then, paste in the above URL. I discuss the difference in the privacy implications of the two actions in the attached. It is by no means complete or perfect; its an intro to the topic. The Tor project maintain excellent documentation at their site torproject dot org. Also see: https://www.eff.org/pages/tor-and-https for a nice graphic of Tor and HTTPS. Regard, Hugo Connery -- Head of IT, DTU Environment, http://www.env.dtu.dk "You cant operate a global communications network without encryption" M Blaze, B Schneier et al. PS: It would be interesting to see if the EFF wish to bring CloudFlare to court based on the Title 2 classification from the UD FTC
What is Tor? Tor is a low latency privacy network. When accessing the internet through Tor a path is created through 3 intermediary relays. All requests are then packed up into 3 layers of encryption, each to be stripped off by each relay (hence The Onion Router -- and the layering of encryption is like the layering of an onion). This ensures that no relay can know both the source of the transaction AND the destination. In normal operation, both the DNS and other (HTTP, HTTPS, FTP, rsync whatever) traffic is pushed all of the way through the Tor "tunnel" so that the internet sees a Tor exit relay making these transactions, while the ISP sees the user connecting to Tor, but has no idea what they are doing. What is a hidden service? Tor provides the ability to provide Tor "hidden services" (THS), the point of which is that both the server and the connecting client can retain their anonymity, unless they wish to declare their themselves. Imagine a suicide chat service, at which the service identifies itself, to provide assurance to the client, but at which the client is not needed to identify themself. In this model it is practically impossible for the client to be identified by anyone, and the client could connect from anywhere globally, assuming that access to Tor is possible. Hidden services are identified as (protocol)://(some-hash).onion as outlined in the example above. What is the privacy issue? When a THS is accessed with a Tor enabled browser no information is leaked outside of the tor network -- there is no DNS lookup. However, when that URI is accessed with a normal browser, there is a DNS lookup and that immediately breaks the privacy of both parties: i.e the DNS request exposes the user amongst a community using their recursive resolver, and publishes their intention to visit the service. Additionally, the connection will fail, as there is no DNS registration involved in any THS. What is the certificate issue? Certificate authorities are meant to ensure the ownership and validity of the domain for which they are issuing. As .onion is a non-existent TLD issuing a certificate for the above "domain" (wkqp7hcrpkxdgfat.onion) would be strange. But, I could generate a self-signed certificate and that would be fine, except for the warning that all browsers give about this. But, Facebook want to deploy a THS (in which they will publish their identity, and to which people will de-anonymise themselves by logging in), and they want to have a certificate for it. Thus, .onion needs to be either registered or declared special use. If it is registered, then it is controlled by a single organisation, and this is entirely against the decentralised principle of the Tor Project. Thus, they request a special use registration. This solves, the certificate problem, but the privacy issue outlined above remains.