a series of tubes

A Journalist asked me some background about Tor to balance some perspectives and commentary in an interview with Andrew Lewman. This was my response, mildly edited for flow, grammar & typos, and with links added. I feel that it’s worth sharing…

I don’t think I encountered Andrew when he was at the Tor project; according to Google he left in April 2015, and I didn’t start to become a credible source on any aspect of Tor until several months after that — once all the “let’s ratify the onion top level domain name” stuff began to gain momentum.

Andrew’s schtick is pretty-much what I would expect from people who have bought into the mythos of “THE DARK WEB” as being something from which folk need to be protected, or similar.

Speaking as a lifelong (?) security and network engineer: At its core “Tor” is a separate network stack, layered on top of TCP/IP, and it should be treated as such.

Folk have a tendency to conflate “Tor” with “Tor Browser” and thence to think of the whole as some kind of “anonymity app”; and then they bring a whole bunch of social prejudices along with their descriptions.

To be frank, it’s understandable that they do this because not even Tor themselves fully realised the truth until a few years ago; they and everyone else were caught up in “Dark Web” and “Hidden Service” bullshit.

But the truth is: Tor is End-to-End Encryption for Computers to talk to other Computers.

All that argument about Apple-vs-FBI: about the uninterceptability (sp?) of communications, about “going dark” — and all the benefits that we associate with “E2E” being enabled for WhatsApp and Signal? It’s exactly the same issue as is expressed about Onion Networking: collective uncertainty about enabling unblockable, private, and unsurveillable communication.

Where Signal & WhatsApp (etc) enable E2E encrypted communications between humans — with emojis and short text messages and the like — the Tor protocol enables end-to-end encrypted communications between computers — eg: Tor Browser on your laptop at one end, and an Onion Site at the other.

This is not only decentralised and distributed, it is disintermediated communication: there’s no DNS-name to be censored, nor spoofed nor hijacked, there’s no fixed network route to be blocked, there’s no firewall to be bypassed nor a single big ISP router to be DDoSed by some attacker.

In short: Tor is a very attractive proposition for secure networking.

If you’re an enterprise of some kind — perhaps a newspaper covering a country where network blocks on the media are regularly imposed; or a sexual health clinic that offers services to teens in religiously prescriptive countries; or a social network which knows that many hundreds of thousands of people access it already over Tor, but who want to give them a better experience than that of using Tor like some shitty proxy network.

Not merely with an Onion address are you offering people a block-resistant, E2E-encrypted means to communicate with you, but also you are virtually guaranteeing that they are using TorBrowser at their local end, thereby minimising the digital footprints they may leave behind.

I like to see this as a progression: with HTTP we used to be amazed that packets got from A to B at all; then we demanded some degree of privacy and integrity with the arrival of HTTPS — and the two are now used in complementary roles, each where most appropriate.

Now with the sudden realisation that “Wow, Onion Networking Kinda Makes Sense” — there is another quality that we can offer: “discretion”, and along with that comes “block-resistance” and bombproof “identity”, the latter far more certain than one achieves solely with HTTPS and DNS.

HTTPS and Onions are quite a winning combination for commercial sites — but then I would say that. Together HTTPS protects your data at the level of “web-browsers talking to web-servers”, and Onion Networking reinforces that at the “series of tubes”-level of computers talking to computers.

It’s like having seatbelt-and-airbags, belt-and-braces. :-)

Not everyone needs to offer their websites discreetly, of course, but that’s okay. This is not a zero-sum game, this is not like “one thing must lose for the other to win”. There’s plenty of space for diverse value to offer to users, and it’s nice to have a bigger box of tools.

With this in mind — and I hesitate to mention this because I don’t want this to come across as a puff piece — I wrote EOTK / Enterprise Onion Toolkit, which helps people add an Onion address to a pre-existing cleartext website. A kind-of “Let’s Encrypt” for Onions. It works pretty good:

https://motherboard.vice.com/en_us/article/new-tool-takes-mere-minutes-to-create-dark-web-version-of-any-site

…but do ask if you want to know more about that.

Andrew’s claims seem typical of the dark web genre; there may be some grounding in fact, but I am empirically reasonably convinced that there is more net badness overall to be found on the normal Internet, hidden behind usernames, passwords, and plain old HTTPS, than there is to be found on the “Dark Web”.

But then, in a sense, this is just a restatement of the “Dark Web” vs: “Deep Web” dichotomy; see the recent Associated Press Stylebook updates for those (and other) terms, for details.

Andrew is right to say that there are quite a few shitty apps with poor user experiences which are trying to leverage Tor for sexiness-points; but then the early days of the Internet were pretty similar. Early web browsers (and Gopher!) were text-based, frustrating, and sucked. At least TorBrowser can leverage well-understood technologies for building new communication tools.

Speed? Well, perhaps I’m atypical, but I’m streaming HD video over Onions quite frequently. It generally works okay so long as you avoid Flash (which, in any case, is evil). If helps if the person setting up the Onion site is competent. Given that 4 years ago this would have been unthinkable, I feel quite optimistic about Tor.

And that’s probably the note I should end upon. A lot of my peers are — frankly — pessimists. They are looking at the current space of “security” and are looking at the evil that men do, extrapolating from one to the other and concluding that “surely more private communication = more evil?”

I’m an optimist. I’m a builder. I like having more tools so that I can give people more security, more options and more help. So, for me, Onion Routing and Tor are a fabulous new ingredient to cook with.