from the this-won't-make-you-cry dept.
- SoylentNews (this page): http://7rmath4ro2of2a42.onion
- Development Site: http://skgmctqnhyvfava3.onion
- Wiki: http://kvs3xgkasyoqd4hx.onion
- Site Status: http://kvs3xgkasyoqd4hx.onion
Since these services are accessible directly in the Tor Network, and do not need to pass through an exit node, it should be considerably faster to access SoylentNews via the onion links than going through directly. There are a couple of caveats you should be aware of though using this service.
Furthermore, as the final hop to varnish is in the Linode data centre, users from tor will always show up with a consistent IPID. This allows user accounts to work properly while being onioned. At the moment, we don't support SSL through tor as we've not created the necessary CA and self-signed certificates. This is on the TODO list, and should show up sometime this week (we'll announce it when we do).
The consistent IP however means that staff can see if a user is coming in from tor due to the consistent IPID. While we do not publish our IPIDs publicly, you should be aware that any of us can check to see where a given post is coming from. Furthermore, our rate limiting software works on an IP basis. We've tested tor with several users at once and didn't trip the rate limiting, but if people start getting 429 errors, we'll modify the rules to give nitrogen (the tor relay) more requests per second in an attempt to keep it up.
Furthermore, when using tor, you're still using the old and dingy IPv4 protocol (shockingly, tor does *not* support IPv6 hidden nodes which surprised me; it is our only backend component that doesn't support it). This service should be considered experimental, and may go away, break in two, eat your children, or render the user sterile. You have been warned.
Last February, my Tor onion service came under a huge Tor-based distributed denial-of-service (DDoS) attack. I spent days analyzing the attack, developing mitigation options, and defending my server. (The Tor service that I run for the Internet Archive was down for a few hours, but I managed to keep it up and running through most of the attack.)
While trying to find creative ways to keep the service up, I consulted a group of friends who are very active in the network incident response field. Some of these are the people who warn the world about new network attacks. Others are very experienced at tracking down denial-of-service attacks and their associated command-and-control (C&C) servers. I asked them if they could help me find the source of the attack. "Sure," they replied. They just needed my IP address.
I read off the address: "152 dot" and they repeated back "152 dot". "19 dot" "19 dot" and then they told me the rest of the network address. (I was stunned.) Tor is supposed to be anonymous. You're not supposed to know the IP address of a hidden service. But they knew. They had been watching the Tor-based DDoS. They had a list of the hidden service addresses that were being targeted by the attack. They just didn't know that this specific address was mine.
As it turns out, this is an open secret among the internet service community: You are not anonymous on Tor.
It turns out that there are some flaws in the design of Tor services, which this story very ably explains. Quite readable, too.
[NB: SoylentNews has supported Tor Since April 1, 2014 (yes, really). In light of today's story, is this something that SoylentNews should continue to support? I suspect bots are making use of it to create accounts here. It would probably require some work to disable Tor properly, so I am not anticipating immediate removal. This is more trying to get input from the community. What say you? --martyb]