Policing hidden services

Could Tor go further with these kinds of self enforced community rules? Arguably, yes.

The Tor network allows hidden services. A hidden service is a server that is identified by a public key rather than an IP address. The public key can be written down as characters, in which case it might look like this:

silkroadvb5piz3r.onion

Logo of a shop

In technical terms, that is the ASCII representation of an 80-bit hash of the public key of what was the Silk Road web server. The junk on the end is because you aren’t really supposed to be able to choose a name for your hidden service — they normally look entirely random. In this case Ulbricht ran a program that kept trying different random keys until he found one that started with the name of his site, but it would have taken a lot of computing power to generate such an address.

A hidden service still actually has an IP address of course, you can’t receive internet traffic without one, but it doesn’t advertise that address in DNS like a normal website would (or indeed anywhere at all). Instead a hidden service works by contacting some randomly selected Tor nodes via a regular Tor connection, so those nodes don’t find out the services IP address, and then it asks those nodes to act as introduction points. Once it found a bunch of introduction points, it uploads them along with its public key to a distributed hash table so other Tor users can find it.

Introduction points don’t actually relay traffic to the hidden service. That’s handled by randomly selected rendezvous points. However, they are still required for initiating connections.

Because the introduction points find out the identity of the hidden service they are being asked to do work on the behalf of, there is no reason they could not simply refuse to help out hidden services which the node operator disagrees with. In the same way that exit nodes choose to allow or disallow certain services, other nodes could do the same for hidden services. Because a hidden service may change its public key (and therefore web address) from time to time, nodes could choose to subscribe to service policies that are updated by some third party.

In this way, the Tor community could collectively choose what kind of hidden services it wishes to provide shelter for. Does that make the feature pointless? No. Hidden services, contrary to initial appearances, actually have many uses beyond running illegal websites. Some examples:

Security. They can make ordinary websites harder to hack, by running the most sensitive core on a hidden service separate from the primary website. As an example, Bitcoin pools have in the past been hacked and had money stolen not through any security failing of their own, but by through compromise of the entire datacenter that hosted the servers. By running the code that held the private keys and made payouts on a hidden service whose real location was known only the operator it would become much harder to pull off such attacks. Privacy from risky customers. Consider camgirls, who perform strip shows in front of web cams for money. Such shows are legal and frequently have thousands of viewers, but performers have to rely on expensive centralised sites that shield their identity from creepy customers who might try and track them down and make the show into reality. Tor and Bitcoin give them the tools they need to engage in their business without fear. Fighting totalitarian surveillance. It’s an open question what kind of capabilities the NSA and GCHQ have built against Tor. The latest leaks from Snowden are based on 6 year old presentations and provide little insight. But it is without a doubt that Tor makes their job significantly harder and raises the bar for engaging in pointless, global surveillance of ordinary citizens. Running more traffic over Tor is something everyone should do, even if that traffic is by itself quite harmless and uninteresting. By increasing the cost to watch people who are doing no wrong, we force the intelligence agencies to focus on the truly bad apples.

Nodes refusing to act as introduction points for a particular hidden service would not immediately shut down that service — as long as at least a few nodes are willing to do it, the site will remain operational. But typically the behaviour of other people is not what concerns a node operator; they care about how their own resources are used, and whether their expenditure is furthering their goals or acting against them.