[Note: This item comes from friend Jen Snow. DLH]
It’s About To Get Even Easier to Hide on the Dark Web
By Andy Greenberg
Jan 29 2017
Sites on the so-called dark web, or darknet, typically operate under what seems like a privacy paradox: While anyone who knows a dark web site’s address can visit it, no one can figure out who hosts that site, or where. It hides in plain sight. But changes coming to the anonymity tools underlying the darknet promise to make a new kind of online privacy possible. Soon anyone will be able to create their own corner of the internet that’s not just anonymous and untraceable, but entirely undiscoverable without an invite.
Over the coming months, the non-profit Tor Project will upgrade the security and privacy of the so-called “onion services,” or “hidden services,” that enable the darknet’s anonymity. While the majority of people who run the Tor Project’s software use it to browse the web anonymously, and circumvent censorship in countries like Iran and China, the group also maintains code that allows anyone to host an anonymous website or server—the basis for the darknet.
That code is now getting a revamp, set to go live sometime later this year, designed to both strengthen its encryption and to let administrators easily create fully secret darknet sites that can only be discovered by those who know a long string of unguessable characters. And those software tweaks, says Tor Project co-founder Nick Mathewson, could not only allow tighter privacy on the darknet, but also help serve as the basis for a new generation of encryption applications.
“Someone can create a hidden service just for you that only you would know about, and the presence of that particular hidden service would be non-discoverable,” says Mathewson, who helped to code some of the first versions of Tor in 2003. “As a building block, that would provide a much stronger basis for relatively secure and private systems than we’ve had before.”
Most darknet sites today make no secret of their existence, widely publicizing their “.onion” web addresses on the regular web and social media for potential visitors. Any whistleblower can visit WikiLeaks’ anonymous upload system, for instance, by pasting wlupld3ptjvsgwqw.onion into their Tor browser, and many thousands of drug customers and dealers knew that the notorious dark web drug market Silk Road could be found at silkroadvb5piz3r.onion before the FBI took it offline.
But even without knowing a Tor hidden service’s address, another trick has allowed snoops, security firms, hackers, and law enforcement to discover them. Tor’s network comprises volunteers’ computers that serve as “nodes,” bouncing traffic around the globe. Anyone can position their computer as a particular sort of node—one of thousands of “hidden service directories” that route visitors to a certain hidden service.
For that routing system to work, all hidden services have to declare their existence to those directories. A study released at the hacker conference Defcon last year showed that more than a hundred of the 3,000 or so hidden service directories were secretly crawling every site whose address they learned, in order to scan the dark web for previously undiscovered sites.
“The only people who should know about your hidden service are the people you tell about it,” says John Brooks, the creator of the Tor-based chat program Ricochet. “That’s a pretty simple concept, and it’s currently not true.”
The next generation of hidden services will use a clever method to protect the secrecy of those addresses. Instead of declaring their .onion address to hidden service directories, they’ll instead derive a unique cryptographic key from that address, and give that key to Tor’s hidden service directories. Any Tor user looking for a certain hidden service can perform that same derivation to check the key and route themselves to the correct darknet site. But the hidden service directory can’t derive the .onion address from the key, preventing snoops from discovering any secret darknet address. “The Tor network isn’t going to give you any way to learn about an onion address you don’t already know,” says Mathewson.