Tor onion site

The study is a collaboration between researchers Rebekah Overdorf1, Marc Juarez2, Gunes Acar2, Rachel Greenstadt1, Claudia Diaz2
1 Drexel University {rebekah.overdorf,rachel.a.greenstadt}@drexel.edu
2 imec-COSIC KU Leuven {marc.juarez, gunes.acar, claudia.diaz}@esat.kuleuven.be
Reference: R. Overdorf, M. Juarez, G. Acar, R. Greenstadt, C. Diaz. How Unique is Your.onion? An Analysis of the Fingerprintability of Tor Onion Services. In Proceedings of ACM Conference on Computer and Communications Security (CCS'17). ACM, Nov. 2017. (Forthcoming)Website fingerprinting attacks aim to uncover which web pages a target user visits. They apply supervised machine learning classifiers to network traffic traces to identify patterns that are unique to a web page. These attacks circumvent the protection afforded by encryption and the metadata protection of anonymity systems such as Tor.Website fingerprinting can be deployed by adversaries with modest resources who have access to the communications between the user and their connection to the Internet, or on an anonymity system like Tor, the entry guard (see the figure below). There are many entities in a position to access this communication including wifi router owners, local network administrators or eavesdroppers, Internet Service Providers, and Autonomous Systems, among other network intermediaries.Prior studies typically report average performance results for a given website fingerprinting method or countermeasure. However, if you own a hidden service, you are more concerned with the security of your particular hidden service than how well an attack or defense works overall. If your site is naturally hidden against attacks, then you do not need to implement a defense. Conversely, your site may not be protected by a certain defense, despite the high overall protection of such defense.In this study, we try зеркала to answer the following two questions:Are some websites more fingerprintable than others?If so, what makes them more (or less) fingerprintable?Disparate impact of website fingerprintingWe have identified high variance in the results obtained by the website fingerprinting state-of-the-art attacks (i.e., k-NN, CUMUL and k-FP) across different onion websites: some sites (such as the ones in the table below) have higher identification rates than others and, thus, are more vulnerable to website fingerprinting.The table below shows the top five onion services ranked by number of misclassifications. We observe a partial overlap between the sites that are most misclassified across different classifiers. This indicates the errors of these classifiers are correlated to some extent. We looked into these classifications in more detail..onion URLTPFPFNF1k-NN4fouc...484660.05ykrxn...362670.04wiki5k...377670.04ezxjj...276680.03newsi...187690.01CUMULzehli...215680.054ewrw...229680.04harry...229680.04sqtlu...235680.04yiy4k...114690.02k-FPykrxn...462660.06ykrxn...342670.05wiki5...355670.05jq77m...254680.03newsi...263680.03
Analysis of classification errorsWe have analyzed the misclassifications of the three state-of-the-art classifiers. In the following Venn diagram, each circle represents the set of prediction errors for one of the classifiers. In the intersections of these circles are the instances that were incorrectly classified by the overlapping methods. 31% of the erred instances were misclassified by all three methods, suggesting strong correlation in the errors.We looked into the misclassifications that fall in the intersection among the three classifiers to understand what features make them be consistently misclassified.Misclassification graphConfusion graph for the CUMUL classifier drawn by Gephi software using the methodology explained in the paper. Nodes are colored based on the community they belong to, which is determined by the Louvain community detection algorithm. Node size is drawn proportional to the node degree, that is, bigger node means lower classification accuracy. We observe highly connected communities on the top left, and the right which suggests clusters of Hidden Services which are commonly confused as each other. Further, we notice several node pairs that are commonly classified as each other, forming ellipses.Network-level featuresIn the figure below we plot the instances that fall in the intersection of the misclassification areas of the attacks in the Venn diagram. In the x-axis we plot the normalized kraken median incoming size of the true site and, in the y-axis, we show the same feature for the site that the instance was confused with.Total incoming packet size can be thought as the size of the site, as most traffic in a web page download is incoming.We see that the sizes of the true and the predicted sites in the misclassifications are strongly correlated, indicating that sites that were misclassified had similar sizes.At the same time, the high density of instances (see the histograms at the margins of the figure) shows that the vast majority of sites that were misclassified are small.Site-level featuresThe figure below shows the results of the site-level feature analysis using information gain as feature importance metric. We see that features associated with the size of the site give the highest information gain for determining fingerprintability when all the sites are considered. Among the smallest sites, which are generally less identifiable, we see that standard deviation features are also important, implying that sites that are more dynamic are harder to fingerprint.ConclusionsWe have studied what makes certain sites more or less vulnerable to the attack. We examine which types of features are common in sites vulnerable to website fingerprinting attacks. We also note that from the perspective of an onion service provider, overall accuracies do not matter, only whether a particular defense will protect their site and their users.Our results can guide the designers and operators of onion services as to how to make their own sites less easily fingerprintable and inform design decisions for countermeasures, in particular considering the results of our feature analyses and misclassifications. For example, we show that the larger sites are reliably more identifiable, while the hardest to identify tend to be small and dynamic.. This includes crawling infrastructure, modules for analysing browser profile data and crawl datasets.

Tor onion site - Сайт кракен на торе ссылка krmp.cc

The Tor Project has released Tor Browser 11.0  with a new user interface design and the removal of support for V2 onion services.The Tor Browser is a customized version of Firefox ESR that allows users to browse the web anonymously and access special .onion domains only accessible via Tor.You can download the Tor Browser from the Tor Project site, and if you are an existing user, you can upgrade to the latest version by going to the Tor Menu > Help > About Tor Browser.Tor Browser 11.0Tor Browser 11 uses Firefox ESR 91, which brings an updated user interface containing new icons, a new toolbar, streamlined menus, dialogs, and an updated tabs interface.New Tor 11 icons
Source: Tor ProjectHowever, the most significant change is the deprecation of V2 onion services, meaning TOR URLs using short 16 character hostnames domains are no longer supported.When attempting to open a V2 onion service, Tor Browser will show users an "Invalid Onionsite Address" with an error code of 0xF6.V2 Onion services are no longer supported"Last year we announced that v2 onion services would be deprecated in late 2021, and since its 10.5 release Tor Browser has been busy warning users who visit v2 onion sites of their upcoming retirement," the Tor Project explained in the Tor Browser 11 release notes."At long last, that day has finally come. Since updating to Tor 0.4.6.8 v2 onion services are no longer reachable in Tor Browser, and users will receive an “Invalid Onion Site Address” error instead."With this change, Tor sites using V2 onion services will no longer be reachable, but admins can upgrade to a V3 onion service by adding the following lines to the torrc file.HiddenServiceDir /full/path/to/your/hs/v3/directory/HiddenServicePort :As with all releases, there are always known issues and bugs that users need to be aware.The known issues in Tor 11 are listed below:Bug 40668: DocumentFreezer & file schemeBug 40671: Fonts don't renderBug 40679: Missing features on first-time launch in esr91 on MacOSBug 40689: Change Blockchair Search provider's HTTP methodBug 40667: AV1 videos shows as corrupt files in Windows 8.1Bug 40677: Since the update to 11.0a9 some addons are inactive and need disabling-reenabling on each startBug 40666: Switching svg.disable affects NoScript settingsBug 40690: Browser chrome breaks when private browsing mode is turned offYou can download Tor 11.0 from the Tor Browser download page and the distribution directory.

By Ben Kero, Devops Engineer at BraveIn 2018, Brave integrated Tor into the browser to give our users a new browsing mode that helps protect their privacy not only on device but over the network. Our Private Window with Tor helps protect Brave users from ISPs (Internet Service Providers), guest Wi-Fi providers, and visited sites that may be watching their Internet connection or even tracking and collecting IP addresses, a device’s Internet identifier.We are, and always have been, hugely thankful for the work and mission that the Tor team brings to the world. To continue our support, we wanted to make our website and browser download accessible to Tor users by creating Tor onion services for Brave websites. These services are a way to protect users’ metadata, such as their real location, and enhance the security of our already-encrypted traffic. This was desired for a few reasons, foremost of which was to be able to reach users who could be in a situation where learning about and retrieving Brave browser is problematic.We’ll go through the process of creating this setup, which you should be able to use to create your own onion service.To start the process we ‘mined’ the address using a piece of software called a miner: I chose Scallion due to Linux support and GPU acceleration. Mining is the computationally expensive process of creating a private key to prove a claim on an onion address with a desired string. Onion (v2) addresses are 16 character strings consisting of a-z and 2-7. They end in .onion, and traffic to .onion domains does not exit the Tor network. V3 addresses are a longer, more secure address which will provide stronger cryptography, which we will soon migrate to.In our case we wanted a string that started with ‘brave’ followed by a number. A six-character prefix only takes around 15 minutes when mined on a relatively powerful GPU (we used a GTX1080). The end result is a .onion address and a private key that allows us to advertise we are ready and able to receive traffic sent to this address. This is routed through a ‘tor’ daemon with some specific options.After we mined our onion address we loaded it up in EOTK. The Enterprise Onion Toolkit is a piece of software that simplifies setting up a Tor daemon and OpenResty (a Lua-configurable nginx-based) web server to proxy traffic to non-onion web servers. In our case we are proxying traffic to brave.com domains. One last piece was required to complete the setup: a valid SSL certificate.Without the certificate, upon starting  EOTK for the first time, you’ll find that many web assets don’t load. This is due to using a self-signed SSL certificate. For some, this is acceptable. Many onion users are accustomed to seeing self-signed certificate warnings, however for the best experience a legitimate certificate from a CA is necessary. For now, the only certificate authority issuing certificates for .onion addresses is DigiCert. They provide EV certificates for .onion addresses including SANs, with the exciting addition of wildcard SANs, which are otherwise not allowed in an EV certificate!Generating a private key and certificate signing request is done in the standard way with OpenSSL. For more information about how this is done see documentation here. An example of a CSR configuration file is shown below:One snag was that the process of proving you own the address requires a few different steps of validation. One is the traditional EV due diligence of contacting a representative of the organization that is on-file with DigiCert. Another is a practical demonstration, either of a DNS TXT record or a HTTP request to a well-known URL path. Since the onion addresses don’t have the concept of DNS, TXT validation will be impossible. That leaves the only remaining option as the HTTP practical demonstration. The demonstration involves requesting a challenge from DigiCert, at which point they will send you a short string and a path that they need to see the string served at.You then start a web server listening on that address on port 80 (non-SSL). They will send a GET request for that path. If they are able to successfully fetch the string, they know that you are in control of the address. Sadly, when I performed this song and dance with DigiCert the request did not work for 2 reasons. One was that EOTK was redirecting all of the non-SSL traffic to the SSL listener. The request failed since we were still running an EOTK-generated self-signed certificate. EOTK has a feature to serve short strings such as those required for this process using the “hardcoded_endpoint_csv” configuration option, but unfortunately it did not work due to the SSL redirect. I was able to modify the OpenResty configuration to move the configuration block responsible to the port-80 server section.After consulting with the author, I was told that the “force_http” EOTK option will fix this. Another problem is that DigiCert’s automated validator evidently cannot route Tor traffic since requests still failed. Opening a chat session with a DigiCert rep solved this problem quickly though, especially after pointing out that DNS TXT validation is not possible, and providing a link to the .onion blog post referenced earlier.We had to reissue certificates a few times (requiring more rounds of human validation for the EV cert requirements) in order to add some SAN wildcard subjects for our various subdomains (for example *.brave.com will not match example.s3.brave.com). One thing to note here is that even if you update the SAN subjects in your CSR, this will not add them to the reissued cert. They must be added through DigiCert’s web interface, and it can be easy to miss.Once we had our certificate we fed this into EOTK and found that web pages started appearing correctly, and that downloads worked without receiving a certificate error! This was a very satisfying milestone and let me know that we were almost done.EOTK does some string manipulation to rewrite URLs and some text on the pages so that they refer to the .onion addresses (example: a link to “brave.com/blog” becomes “brave5t5rjjg3s6k.onion/blog”). This is mostly desirable, although some strings should be preserved. For example we have several email addresses listed on brave.com such as [email protected]. This was being rewritten as [email protected]. Since we don’t (yet) run an email server as an onion service these email addresses won’t work, thus they should be preserved as [email protected]. EOTK has a “preserve_csv” option to maintain these static strings.Another suggestion is to include an Onion-Location response header on your web site, which points to your onion address. This hints at the user and their browser that the site is also available as an Onion service, and that they can visit that site if they so choose.Of course this novel daemon setup needed to run *somewhere*. In accordance with our standard devops practices at Brave, we wrote infrastructure-as-code using Terraform to deploy and maintain this. It is currently deployed in AWS EC2 with private keys secured in AWS SSM and loaded on boot. In a future iteration of the code we’d like to implement OnionBalance so that we can provide more redundancy and scalability to our onion services.Hopefully this post has taught you how we’ve been able to set this up at Brave, and how you can replicate our success to run an onion service for yourself. If you have any questions please feel free to reach out to me at [email protected], or on Twitter at @bkero.I’d like to thank Alec Muffett, the author of EOTK, for his invaluable assistance in helping me overcome all the challenges related to setting this up, and for encouraging me to do things the harder but more correct way. I’d also like to thank Kenyon Abbott at DigiCert for his assistance in helping with the process of issuing and re-issuing the certificate and enduring the multiple iterations necessary to get our certificate working.