Tor soups up onion sites with bountiful browser bump: No more tears trying to find the secure sites you want

Latest Tor Browser iteration makes the dark web a bit more memorable

The Tor Project this week rolled out an update to its browser that attempts to make the anonymity-protecting onion routing scheme more approachable.

Version 9.5 arrives on the back of Firefox 77, which debuted on Tuesday with few noteworthy additions beyond security fixes. The Tor Browser is based on a foundation of Firefox code, but goes further in an attempt to provide proper anonymity online.

Online anonymity cannot be guaranteed, but the Tor Browser and Tor protocol are among the most well-regarded privacy protection technologies available to the public and – if properly used – make identification difficult for all but the most capable of adversaries.

The Tor Project itself emerged from federally funded research led by the US Office of Naval Research and DARPA. Tor is an acronym for the original name of the project, The Onion Router, an encrypted networking protocol designed to support anonymous communication – although paradoxically a popular website for Tor users is Facebook.

"With onion services (.onion addresses), website administrators can provide their users with anonymous connections that are metadata-free or that hide metadata from any third party," explains Antonela Debiasi, a UX designer for The Tor Project, in a blog post. "Onion services are also one of the few censorship circumvention technologies that allow users to route around censorship while simultaneously protecting their privacy and identity."

Onion services (e.g. Duck Duck Go's onion site, https://3g2upl4pq6kufc4m.onion/) are accessible through the Tor Browser, or a browser like Firefox if the Tor software is installed locally and the browser has been configured to deal with .onion addresses.

Navigation through dark waters

But they're not very easy to discover. The latest Tor Browser lets web publishers advertise their onion service to Tor users through an HTTP header. Those visiting a website that has an .onion address and the Onion Location setting enabled will see a label that a secure service is available in the web address bar and a prompt to switch to the onion protocol.

This capability is intended to complement another service discovery mechanism known as HTTP Alternative Services, a way for servers to tell clients about alternative addresses or protocols.


Tor Project loses a third of staff in coronavirus cuts: Unlucky 13 out as nonprofit hacks back to core ops


The Tor Browser is also testing a way to make the cryptographic alphabet soup of onion addresses easier for people to remember. Toward that end, the project has partnered with Freedom of the Press Foundation (FPF) and the Electronic Frontier Foundation's HTTPS Everywhere to deploy human-readable Secure Drop sites.

Secure Drop is an open-source whistleblower platform for submitting documents online anonymously. It relies on Tor and difficult-to-remember onion addresses like http://qn4qfeeslglmwxgb.onion/. The Secure Drop site is run by activist organization Lucy Parsons Labs.

Under the latest version of the Tor Browser that onion address has an alias, lucyparsonslabs.securedrop.tor.onion. The Tor Project and FPF plan to evaluate the response to this addressing alternative with an eye toward making it more widely available.

The update also supports the ability of onion service administrators to set key pairs for access control and authentication. Those using the Tor Browser can save those keys through the about:preferences#privacy menu in the Onion Services Authentication section.

The Tor Browser is also taking a page – or rather an interface convention – from other browser makers with regard to how it communicates connection security.

Last year, mainstream browser makers turned the green TLS/SSL icon gray to make the insecure connections, dressed in red, stand out more. The Tor Browser is now following suit, making its security indicator gray so the colored icons indicating insecure connections or sites with mixed content are more visibly apparent.

Along similar lines, v9.5 swaps standard Firefox error messages, which conveyed no information about onion connection issues, for a simplified connection diagram that shows the source of the error.

The Tor Browser is available for Android, Linux, macOS, and Windows, and can be downloaded as source code. ®

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022