– Reading time: 9 minutes-
Is it possible to create a website while remaining anonymous? The answer is yes. In the article “Anonymous Browsing: How Tor Works” I explained how you can leverage Tor to browse the web in complete anonymity. If you’re not already familiar with Tor, I recommend familiarizing yourself with it as it will be crucial to understanding today’s article. You should know that, in addition to simple browsing, you can also create your own website while remaining completely anonymous using Tor. Today, you’ll discover the mechanism behind this other mode of utilization.
To provide a clearer explanation, I’ll start with an example involving our friend Bob. Let’s say Bob wants to offer a service to others but doesn’t want to be identified. If Bob were to use a regular web server, it would be easy to trace him. On the Internet, just like all users have a public IP address, servers also have one. This address is crucial because it’s the only way to reach any website. For instance, even though you’re currently connected to my blog via the address “www.hack-blog.com”, there’s an underlying mechanism that translates that text string into the IP address of the server hosting the service. It’s thanks to that IP that your computer managed to contact my blog’s server and receive this article. However, this address can reveal the physical location of the server, and consequently, anyone with the power to investigate could identify me as the owner. Now, returning to Bob, he doesn’t want to be identified. Let’s clarify that it’s not necessarily because Bob intends to do something malicious. There are other reasons why he might seek this anonymity. Perhaps Bob lives in areas where freedom of expression is threatened or censored, and he wants to create a channel for expressing his ideas without fearing censorship or retaliation. In any case, to address this issue and safeguard his privacy, Bob could utilize the Tor network and create a so-called hidden service (also known, in a more modern notation, as an onion service).
In simple terms, we can view an hidden service as a regular website that is exclusively accessible through the Tor network. As you may gather, an hidden service cannot be reached directly via a public IP address, unlike regular websites. However, please note that this doesn’t mean Bob’s server won’t have an IP address. It is indeed necessary and of paramount importance. Without an IP address, physical traffic would never reach its destination. What changes is that this IP address is not publicly visible. Therefore, any user can no longer rely on it to contact the server. Instead, they will have another type of address: a .onion address. This is a completely anonymous address that reveals nothing about the identity of the hidden service. So, if the user doesn’t have any IP address but only this .onion address, how can they physically contact this hidden service? How will Bob make his service available to others? Let’s explore how it all works:
We’ve mentioned that Bob wants to create his hidden service, so he needs to ensure that his service is accessible from the outside while keeping his identity and server location concealed. To achieve this, Bob contacts several nodes within the Tor network, establishes a circuit with them, and designates them as his introduction points. An introduction point is essentially an intermediary for accessing the hidden service. In other words, users seeking to reach Bob’s service cannot directly contact the actual server but only one of these intermediaries. It’s these intermediaries that will then facilitate the connection to the real server. As I just mentioned, Bob initially established a circuit to all the introduction points. Thanks to this same circuit, these intermediaries can contact Bob’s server without knowing its physical location. It’s worth noting that, since everything is based on Tor circuits, no one will know anyone’s identity: the hidden service won’t know the users’ identities, the users won’t know the identity of the hidden service and even the introduction points won’t know the true identities of the users or the server. Furthermore, from an external perspective, there won’t be any noticeable difference between the various connections. What I mean is that, paradoxically, Bob’s server will appear from the outside like a regular user using the network. In fact, externally, a hidden service is nothing more than a client that establishes connections to other nodes within the network.
So, how will users know which introduction points to contact in order to reach Bob’s site? This is where the .onion address I mentioned comes into play. It will actually allow them to discover the IP addresses of these introduction points. It’s important to note that this doesn’t pose a privacy concern: the introduction points can be publicly advertised without any issues. They are, in fact, simple Tor nodes and there’s no reason to hide their IP addresses because they are already known to everyone.
There’s also an important clarification to make. Even though, as we mentioned earlier, the presence of introduction points is crucial to enabling Alice to indirectly contact Bob’s server, these introduction points should only be used to establish the connection with the server and should not handle subsequent data transfers. In fact, if all of Bob’s users were to communicate with the server exclusively through the introduction points, it would create a significant overload on them. Therefore, in practice, an additional node called the rendezvous point is chosen as the intermediary for actual communication.
At this point, several elements come into play. Let’s try to piece together the puzzle by examining what happens, step by step, when a user wants to connect to Bob’s hidden service. Let’s assume that the user in question is our friend Alice:
- The first thing Alice needs to do is select, from the set of Tor network nodes, her rendezvous point.
- She will then establish a connection with this node, but this time, she’ll do it with a circuit composed of only two intermediate nodes (the third node in the Tor circuit will be the same rendezvous point).
- After setting up this circuit, Alice will choose a secret word that she will send to the rendezvous point (you’ll soon understand what this is for).
- Thanks to the .onion address of the site she wants to visit, Alice will discover the introduction points and select one to contact.
- At this point, through the chosen introduction point, she can contact the hidden service to convey her desire to connect and make use of its services. To do this, she will send two pieces of information: the address of the rendezvous node where she wants to be contacted and the same secret word that Alice had sent to the rendezvous point.
- So, if Bob’s server decides to accept the connection, it can establish a Tor circuit to the rendezvous node to start communicating with Alice. After doing so, it will also send the secret word.
- The rendezvous node will only allow the connection to pass to Alice if the secret word received by Bob’s server matches the one initially thought of by Alice. In that case, it will understand that the entity attempting to contact Alice is an authorized server. As a result, the connection will be correctly established on both sides, and Alice can securely exchange information with the server.
In short, once the connection is established, everything will always pass through the rendezvous point, avoiding overloading the introduction points. Furthermore, the presence of the rendezvous node will make it extremely difficult for the two communicating parties to identify each other. Not even the rendezvous point will actually know who is being connected because it, too, is linked through Tor circuits. In total, for a single connection to the server, a path of six nodes will be established, and thanks to this mechanism, all parties will be protected by complete anonymity.
As I did in the previous article for users, here there’s a similar clarification to be made. While it’s true that the Tor mechanism is extremely difficult to compromise, a misconfigured hidden service could expose itself outside of the Tor network and be discovered. Additionally, quite simply, if Bob were to leave other types of traces, Tor’s anonymity would serve little purpose. What I mean to convey is that, if your goal is to be anonymous on the web, whether as a regular user or as the creator of an onion service, you must always exercise the utmost caution. The Tor network provides a solid foundation for your anonymity but the rest depends on you. The fact that Tor offers you very powerful tools certainly helps, but it should not make you lower your guard.
Continuing from the previous article, now that you have everything you need, I would like to draw your attention to something regarding the difference between when a user wants to browse through Tor to a regular website and when they want to browse to an hidden service. When a user connects to a regular website through the Tor network, the web server they connect to is not configured to work with Tor. Therefore, when the traffic reaches the exit node, the connection from the exit node to the final server is a standard http/https connection. However, when connecting to an hidden service, all traffic always passes under the “Tor cloud”. What I mean is that everything always travels following the onion protocol, without interruption. This is the main reason why it’s not possible to reach such a server with traditional tools but rather requires downloading programs like the Tor browser. By definition, hidden services constitute a part of that segment of the web not accessible through traditional means, often referred to as the “Dark web”. If you’ve never heard of it, I recommend an article I wrote about it, where I explain the differences between the Clear, Deep, and Dark web. If you’re already familiar with this area of the internet, I still suggest visiting my article because I will debunk some misconceptions you might know about.
Another comparison I wanted to make is regarding speed: since the mechanism for connecting to an hidden service is much more complex, data transfer speed is much slower compared to what you would experience when connecting to a regular website through Tor.
With this and the previous article, I believe I have covered all the fundamental things you needed to know about Tor. I hope you’ve learned to appreciate the power of this tool. Thank you for reading this far. Goodbye!