HOWTO publish anonymously on the Internet using Tor
A hidden Tor service is a website, IRC server or other service which is only available to Tor users and has a .onion top-level domain that is much harder (ideally impossible) to locate than a normal website or service.
- You can publish (political or other) information without fear of torture by your government (Intelligence services in many supposedly-free NATO countries, like Norway, covertly torture citizens who tell the truth where the government is lying)
- You can blow the whistle on your employer without fear of getting fired
- In short, you can publish anonymously for what ever reason you want to stay anonymous.
There are also other non-anonymity reasons to run a Tor hidden service.
All you need to run a hidden Tor server is a Tor client which can connect to the Tor network. If you can get to the Tor network (outgoing connection) then you can publish a hidden service. So, you may want to publish using Tor if..
- You are behind a firewall which do not allow incoming connections (A webserver available to the normal Internet must allow incoming connections to port 80)
- You want to allow your users to be sure they get end-to-end encryption when using your service.
- This could also be achieved by running a normal webserver with SSL. SSL is limited to one service per IP. With Tor you can setup five or ten or sixty web-services - and all of them would give the visitors end-to-end encryption.
- You need a Tor-client running and connected to the Tor-network (You do not need to run Tor as a server to publish a hidden service; but your hidden service will get better security if you run Tor as as server).
- A webserver (khttpd and Boa are good choices).
You need to read through these documents before setting up your own hidden service:
- NoReply Hidden service info
Hidden services are, in theory, impossible to locate. However, it is still somewhat questionable just how "hidden" such services really are.
You should use encryption and other security measures for your hidden service. You should expect that the server running the service is located - it won't, but you should be prepared for it being located regardless.
Hidden servers were identified on the public Tor network (comprising about 250 nodes at the time). Briefly, the client asked the hidden server to open connections to rendezvous points over and over again. Owning a single bad node (that was fairly high bandwidth) was enough to get a circuit from the hidden server to the rendezvous point through that node pretty quickly (usually a few minutes). If the evil node was adjacent to the hidden server (which was functioning as a client to the Tor network) then the hidden server was immediately identified. If the hidden server was on the same IP address as a Tor server, we had to do an intersection attack, which took anywhere from a few minutes to an hour. We ran the experiments for several hours to make sure we could always be sure we had found the hidden server when we looked at the logs we had.
BTW these were hidden servers we set up ourselves, not ones that anyone else was offering. Also, the entry guard design now deployed precludes these attacks
Step 1. Add "HiddenServiceDir" and folder Tor has access to and a "HiddenServicePort" followed by
- The port you want to be accessable from Tor
- An IP, local or other, and a :portnumber.
HiddenServiceDir /var/lib/tor/hidden_ebooklibrary/ HiddenServicePort 80 127.0.0.1:80
Step 2. Restart Tor. (/etc/init.d/tor restart)
Step 3. Tor has now created the folder /var/lib/tor/hidden_ebooklibrary/ with a file called whostname. Look at the file and you will see something like 6sxoyfb3h2nvok2d.onion. This is the hostname which will be used to access your hidden service.
The service does not have to be running locally, you could use this to make Scroogle a hidden Tor service:
HiddenServiceDir /var/lib/tor/scroogle/ HiddenServicePort 80 www.scroogle.org:80
This kind of "hidden" service is obviously not hidden from scroogle at all.
It is still subject to debate just how "hidden" a hidden service really is. But it is perfectly clear that if your web-server gives away your e-mail address, the servers IP or even your full name then obviously you don't need a distributed brute force attack to find your and/or your service.
Even trivial things like what software the server runs, if it supports PHP and other basic information should not be given away by software running a hidden service.