Stories
Slash Boxes
Comments

SoylentNews is people

posted by NCommander on Tuesday April 01 2014, @10:00PM   Printer-friendly
from the this-won't-make-you-cry dept.
In our ongoing commitment to our users privacy, we've introduced the ability to reach this site through Tor directly. Without further adue:

Since these services are accessible directly in the Tor Network, and do not need to pass through an exit node, it should be considerably faster to access SoylentNews via the onion links than going through directly. There are a couple of caveats you should be aware of though using this service.

When you browse us through tor, a bit of magic happens on the backend (a process I like to call auto onioning), which causes the page to be rewritten with our normal links rewritten as tor links. For instance, a link to our wiki will get automatically replaced with its onion equivalent. Unfortunately, the process is bi-directional (a side-effect of mod_substitute), so if you post a link that we have an auto-onion entry for, it will cause the onion link to show up on the main index. Auto-onioning is only applied for users coming in from tor, and not for regular visitors. We'll probably do tweaks to Slash to get it to de-onion links as they come in, but just be aware of it for now.

Furthermore, as the final hop to varnish is in the Linode data centre, users from tor will always show up with a consistent IPID. This allows user accounts to work properly while being onioned. At the moment, we don't support SSL through tor as we've not created the necessary CA and self-signed certificates. This is on the TODO list, and should show up sometime this week (we'll announce it when we do).

The consistent IP however means that staff can see if a user is coming in from tor due to the consistent IPID. While we do not publish our IPIDs publicly, you should be aware that any of us can check to see where a given post is coming from. Furthermore, our rate limiting software works on an IP basis. We've tested tor with several users at once and didn't trip the rate limiting, but if people start getting 429 errors, we'll modify the rules to give nitrogen (the tor relay) more requests per second in an attempt to keep it up.

Furthermore, when using tor, you're still using the old and dingy IPv4 protocol (shockingly, tor does *not* support IPv6 hidden nodes which surprised me; it is our only backend component that doesn't support it). This service should be considered experimental, and may go away, break in two, eat your children, or render the user sterile. You have been warned.

Related Stories

Tor 0day: Finding IP Addresses 54 comments

Tor 0day: Finding IP Addresses - The Hacker Factor Blog:

Last February, my Tor onion service came under a huge Tor-based distributed denial-of-service (DDoS) attack. I spent days analyzing the attack, developing mitigation options, and defending my server. (The Tor service that I run for the Internet Archive was down for a few hours, but I managed to keep it up and running through most of the attack.)

While trying to find creative ways to keep the service up, I consulted a group of friends who are very active in the network incident response field. Some of these are the people who warn the world about new network attacks. Others are very experienced at tracking down denial-of-service attacks and their associated command-and-control (C&C) servers. I asked them if they could help me find the source of the attack. "Sure," they replied. They just needed my IP address.

I read off the address: "152 dot" and they repeated back "152 dot". "19 dot" "19 dot" and then they told me the rest of the network address. (I was stunned.) Tor is supposed to be anonymous. You're not supposed to know the IP address of a hidden service. But they knew. They had been watching the Tor-based DDoS. They had a list of the hidden service addresses that were being targeted by the attack. They just didn't know that this specific address was mine.

As it turns out, this is an open secret among the internet service community: You are not anonymous on Tor.

It turns out that there are some flaws in the design of Tor services, which this story very ably explains. Quite readable, too.

[NB: SoylentNews has supported Tor Since April 1, 2014 (yes, really). In light of today's story, is this something that SoylentNews should continue to support? I suspect bots are making use of it to create accounts here. It would probably require some work to disable Tor properly, so I am not anticipating immediate removal. This is more trying to get input from the community. What say you? --martyb]


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by dast on Tuesday April 01 2014, @10:19PM

    by dast (1633) on Tuesday April 01 2014, @10:19PM (#24500)

    Will the RSS/Atom feed be available through Tor?

    Off topic: Can we get the full article bodies included in the feed, pretty please with Bacon on top? ;)

    • (Score: 1) by starcraftsicko on Tuesday April 01 2014, @10:25PM

      by starcraftsicko (2821) on Tuesday April 01 2014, @10:25PM (#24503) Journal

      I heard somewhere that RSS was a dying protocol due to be laid to rest alongside cuneiform, fax machines, usenet, gopher, and IRC.

      So... how about a gopher site?

      --
      This post was created with recycled electrons.
      • (Score: 2) by mattie_p on Tuesday April 01 2014, @10:40PM

        by mattie_p (13) on Tuesday April 01 2014, @10:40PM (#24512) Journal

        I don't think I'm spilling the beans here, but NCommander was actually working on getting the site running over gopher, but stopped due to other priorities. Look for it later.

      • (Score: 1) by archshade on Tuesday April 01 2014, @11:54PM

        by archshade (3664) on Tuesday April 01 2014, @11:54PM (#24526)

        What where did you here that RSS was dying.

        I have a few RSS feeds in my browser, OK one is for the other site (maybe I should lose that on), one is here. I don't really want to check 10s of websites when I can just hover my mouse across the top of my screen. I also use it in a script to get the latest from the BBC Friday night comedy radio podcast.

        Please Internet PTB don't take RSS from me

        • (Score: 1) by Yog-Yogguth on Wednesday April 02 2014, @12:13AM

          by Yog-Yogguth (1862) Subscriber Badge on Wednesday April 02 2014, @12:13AM (#24534) Journal

          I ragequit that /. RSS feed just now when I discovered ?nobeta=1 no longer works as it used to. No more hoops.

          Buck Feta? Duck Fice! *goes to change signature line*

          --
          Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
      • (Score: 2) by everdred on Tuesday April 01 2014, @11:57PM

        by everdred (110) on Tuesday April 01 2014, @11:57PM (#24527) Journal

        I, for one, can't wait until more sites drop RSS support. Fewer sites I need to worry about ever reading.

      • (Score: 1) by ticho on Wednesday April 02 2014, @06:43AM

        by ticho (89) on Wednesday April 02 2014, @06:43AM (#24642) Homepage Journal

        If only. If only RSS could die and everyone would switch to Atom. Or, you know, other way around. JUST PICK ONE FORMAT ALREADY.

  • (Score: 4, Informative) by solozerk on Tuesday April 01 2014, @10:30PM

    by solozerk (382) on Tuesday April 01 2014, @10:30PM (#24505)

    An excellent move... the tor network needs more legitimacy and this kind of move helps a lot.

    The recent change [deepdotweb.com] from the hidden wiki to the more open, but also more moral wikitor helps a lot too IMHO.

  • (Score: 3, Insightful) by tynin on Tuesday April 01 2014, @10:40PM

    by tynin (2013) on Tuesday April 01 2014, @10:40PM (#24513) Journal

    A nice hot piece of corn muffin bread, sliced in half and smeared with melting butter. A pile of super thin sliced bacon cooked to the point that it is so crispy that it attempts to melt in your mouth. And the onions, oh the sauted onions, cooked in bacon grease till translucent but still firm. All layered together in a sandwich of perfection. ::drool::

    • (Score: 1) by LukeSkywalker on Wednesday April 02 2014, @02:40PM

      by LukeSkywalker (1190) on Wednesday April 02 2014, @02:40PM (#24837)

      If I eat the baconmuffins will that protect me from the threat of tor user sterilization?

  • (Score: 1) by physicsmajor on Tuesday April 01 2014, @10:57PM

    by physicsmajor (1471) on Tuesday April 01 2014, @10:57PM (#24517)

    I'm referencing this statement:

    "The consistent IP however means that staff can see if a user is coming in from tor due to the consistent IPID. While we do not publish our IPIDs publicly, you should be aware that any of us can check to see where a given post is coming from."

    Is this logged? If so, for what length of time? I'm mainly asking because, as a USA based entity, NSA letters could force disclosure of these data. Tor users prize anonymity and I support the development of this feature, but at present would be skittish to use it due to such persistence. Or I'd ensure that I never log in to the site, which somewhat obviates the utility and appeal.

    I'm not sure how to address this type of concern in a satisfactory way post-Snowden revelations, other than swearing you do not log or retain such data and never will.

    • (Score: 3, Informative) by NCommander on Wednesday April 02 2014, @12:38AM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Wednesday April 02 2014, @12:38AM (#24543) Homepage Journal

      The IPID is logged, and we don't currently have a deletion policy; perhaps something to change. That being said, even when using exit nodes, it is always possible to know when a user is coming from tor by checking IPs against exit nodes - the TorBlock plugin for mediawiki does this for instance.

      In short, it is always possible to know if someone is using Tor due to the way the network works, its just difficult to know who is on the other end.

      --
      Still always moving
    • (Score: 1) by _NSAKEY on Wednesday April 02 2014, @01:53AM

      by _NSAKEY (16) on Wednesday April 02 2014, @01:53AM (#24560)

      Web servers being used as hidden services only show 127.0.0.1 in the access logs, so it's somewhat of a non-issue.

      Speaking of non-issues, SSL over hidden services isn't really needed, since the tor network handles end to end crypto.

  • (Score: 1) by zip on Wednesday April 02 2014, @12:12AM

    by zip (702) on Wednesday April 02 2014, @12:12AM (#24533)

    Would be nice if the images on the tor site were hosted there too and not be linked from the clearnet site (request policy blocked it for me, otherwise I would not have noticed).

    • (Score: 2) by NCommander on Wednesday April 02 2014, @07:45AM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Wednesday April 02 2014, @07:45AM (#24653) Homepage Journal

      Can you clarify on this? What images aren't going through tor?

      Everything is hosted on the same box, so unless we've got a URL fuckup somewhere in the backend (which is possible, I just nuked a li694-22 URL last week), they should all appear coming from the onion site.

      --
      Still always moving
      • (Score: 1) by zip on Wednesday April 02 2014, @11:20PM

        by zip (702) on Wednesday April 02 2014, @11:20PM (#25237)

        It looks like the images linked from the stylesheets are not onionized because they are absolute urls.

        $ curl -s http://7rmath4ro2of2a42.onion/slashcode.css?slashc ode_14_04 | grep soylentnews.org | wc -l
        25

      • (Score: 0) by Anonymous Coward on Thursday June 05 2014, @07:38PM

        by Anonymous Coward on Thursday June 05 2014, @07:38PM (#51865)

        So I finally got around to trying Tor just to see how soylent worked. In honor of reset the net day and all.
        I can't make https://7rmath4ro2of2a42.onion/ [7rmath4ro2of2a42.onion] work. I see from the article summary you were hoping to get it working in a week or so.

        Also, I'd like to request that you change the encryption options when you do turn it on. The regular site has sha-384 turned on which actually causes firefox to fallback to a less secure connection with sha-1. Originally you guys didn't have sha-384 and it was more secure for most people.

        Use this SSL scanner to see what the webserver is offering up and compare it other sites like google or even Qualys's own website:

        https://www.ssllabs.com/ssltest/ [ssllabs.com]