Opened 2 years ago

Last modified 5 weeks ago

#23875 new defect

Facebook's onion site is a single hop onion, but clicking on the Tor onion icon shows that it is a 6 hop circuit.

Reported by: Dbryrtfbcbhgf Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-circuit-display, ux-team
Cc: dgoulet Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor27-can

Description

Facebook's onion site is a single hop onion, but clicking on the Tor onion icon shows that it is a 6 hop circuit.
Roger Dingledine said at Def Con that facebook uses a single hop, here https://youtu.be/Di7qAVidy1Y?t=2135

  1. Go to facebookcorewwwi.onion
  2. click on the onion icon in the upper left and it should show that it is a 6 hop circuit, even though it should show that it is a 4 hop circuit.

Tested on 7.0.6 and 7.5a5.

Child Tickets

Change History (20)

comment:1 Changed 2 years ago by cypherpunks

According to dgoulet https://lists.torproject.org/pipermail/tor-talk/2016-December/042753.html

With the next generation onion service (we hope by mid-2017 so ~6 months), every onion service will advertise in its descriptor that it is a single onion service and we hope to make the circuit viewer in Tor Browser show that when visiting a single onion service.

Not sure if there's some ticket somewhere for this.

comment:2 Changed 2 years ago by gk

Keywords: tbb-circuit-display added

comment:3 Changed 2 years ago by gk

Cc: dgoulet added
Status: newneeds_information

dgoulet: What do we need to check for deciding whether we have a single onion service vs. a "normal" one?

comment:4 in reply to:  3 ; Changed 2 years ago by dgoulet

Replying to gk:

dgoulet: What do we need to check for deciding whether we have a single onion service vs. a "normal" one?

For v2 services (current scheme of 16 char .onion), you can't know. The service descriptor doesn't advertise such a thing.

For v3 services (>= 0.3.2), the service will put in its descriptor single-onion-service so by fetching it, a client will know.

However, v3 service don't have control port support yet but it is planned (hopefully, best effort!) to be in 0.3.3. I think maybe a GETINFO command to ask if this .onion is a single onion (without triggering a descriptor fetch ofc). Or we could also mention it in the HS_DESC event as well so TB could monitor that event. Not familiar if TB monitors events but anyway there are ways to deal with that.

comment:5 Changed 2 years ago by cypherpunks

Status: needs_informationnew

comment:6 Changed 17 months ago by arma

I am a fan of leaving the gui as it is, and not trying to teach users that sometimes onion services are 3-hop and sometimes they are 1-hop. Better to just have them be onion services -- it's none of the client's business how many hops the onion service has used.

comment:7 Changed 17 months ago by 1-hop

shows that it is a 6 hop circuit

so, don't show hops which you don't know of.

comment:8 Changed 17 months ago by arma

Keywords: ux-team added
Priority: HighMedium
Severity: MajorNormal

Adding in the ux team so they can get involved.

I think any sort of metaphorical visualization of "the other side of the onion circuit" would do fine here. Maybe that means we leave it at three visualized hops, because we've taught users that Tor circuits are generally three hops. Or maybe we make it cloudier. But I don't want to teach users to go check if the onion site they're using is three-hops or one-hop: onion services should be onion services and that's that. (This is as much a political move as anything else -- there are too many people out there saying that all onion services should be one-hop, and we should rip out the three-hop version, and drawing users into that fight, with this interface question, isn't going to make anybody any happier.)

comment:9 in reply to:  4 ; Changed 17 months ago by teor

Replying to dgoulet:

Replying to gk:

dgoulet: What do we need to check for deciding whether we have a single onion service vs. a "normal" one?

For v2 services (current scheme of 16 char .onion), you can't know. The service descriptor doesn't advertise such a thing.

For v3 services (>= 0.3.2), the service will put in its descriptor single-onion-service so by fetching it, a client will know.

That's not quite true: the service will advertise that it *tries* to make one-hop circuits. But some circuits will be 3-hops if the rendezvous point is unreachable or fails.

comment:10 Changed 10 months ago by gk

Sponsor: Sponsor27

comment:11 Changed 10 months ago by gk

Sponsor: Sponsor27Sponsor27-can

Adjusting sponsor tag.

comment:12 Changed 8 weeks ago by pili

#32571 is a duplicate

comment:13 in reply to:  9 ; Changed 7 weeks ago by arma

Replying to teor:

That's not quite true: the service will advertise that it *tries* to make one-hop circuits. But some circuits will be 3-hops if the rendezvous point is unreachable or fails.

teor has a great point here: we can't actually know how many hops the service side circuit uses. So anything that we visualize for the user will be a metaphor, not an accurate depiction of the onion service's circuit. We don't know what the onion service is doing, and we can't know for sure, and that's one of the security properties.

So my vote remains for leaving it as it is, or if we want to change it, to change it to some sort of "cloudy" thing that makes it clear we don't have good visibility on that half of the path.

comment:14 Changed 7 weeks ago by teor

This is particularly true in recent tor versions, which implement "fallback to a 3-hop path on address or connection failure" on v2 and v3 onions.

comment:15 in reply to:  14 Changed 7 weeks ago by cypherpunks

Replying to teor:

This is particularly true in recent tor versions, which implement "fallback to a 3-hop path on address or connection failure" on v2 and v3 onions.

Can you please clarify what that feature is?

comment:17 Changed 5 weeks ago by pili

antonela: Do we want to do anything else here or shall we just close as wontfix since:

We don't know what the onion service is doing, and we can't know for sure, and that's one of the security properties.

comment:18 in reply to:  13 Changed 5 weeks ago by teor

Replying to arma:

Replying to teor:

That's not quite true: the service will advertise that it *tries* to make one-hop circuits. But some circuits will be 3-hops if the rendezvous point is unreachable or fails.

teor has a great point here: we can't actually know how many hops the service side circuit uses. So anything that we visualize for the user will be a metaphor, not an accurate depiction of the onion service's circuit. We don't know what the onion service is doing, and we can't know for sure, and that's one of the security properties.

So my vote remains for leaving it as it is, or if we want to change it, to change it to some sort of "cloudy" thing that makes it clear we don't have good visibility on that half of the path.

What does Tor browser currently do if an exit circuit uses 4 hops?

I think it's ok to:

  • change it to something that symbolises the uncertainly: it could be a direct connection, it could be 3-4 hops
  • add a link to a "what is an onion service" doc that explains what we can't know
  • do nothing

comment:19 Changed 5 weeks ago by cypherpunks

btw https://facebookcorewwwi.onion is down it seems

comment:20 in reply to:  19 Changed 5 weeks ago by pili

Replying to cypherpunks:

btw https://facebookcorewwwi.onion is down it seems

Yes, see https://lists.torproject.org/pipermail/tor-talk/2019-December/045386.html

Note: See TracTickets for help on using tickets.