About Me

Posted on 28 Aug 2016 by Matt Traudt

Last upated 15 Jan 2017 at 11:31 pm
Pinned post

I do research and development on Tor.

I'm interested in preserving people's online privacy. I've started a group that maintains many useful services for the benefit of others, and am essentially the sole member. For deduplication purposes, you may see a list of public services we run here (onion service).

Read the entire post

Creating Private Onion Services

Posted on 25 Feb 2017 by Matt Traudt


You're probably aware of many of the great features of onion services.

You may have ever heard about how misbehaving relays with the HSDir flag can learn the existence of onion services that their owners literally never advertised anywhere. This attack and related attacks will be impossible when the next generation of onion services is deployed (see end of this post for more information), but did you know can prevent this from happening right now, today, on your onion services?

This is thanks to a feature of Tor onion services that can prevent anyone from even connecting to your service if they don't have your permission. I'm not talking about a login page on example.onion, I'm talking about the inability for random people to be able to tell that example.onion is up or if it even exits.

I'm talking about the HiddenServiceAuthorizeClient (server-side) and HidServAuth (client-side) torrc options that you can find in the Tor manual.

There are two ways to use this: basic and stealth. The gist with both is

After this setup is done, clients authenticate automatically with no further work from the user necessary.

Read the entire post

BM v4.0.0 is Released

Posted on 30 Jan 2017 by Matt Traudt


Yesterday I released yet another new major version of BM! The changelog has a summary of changes. As before, please report any issues at the issue tracker.


There are two big changes that should be noted.

Your configuration file needs to move. It used to be in include/bm.conf, but that directory has been emptied out. Your configuration file now belongs in your posts directory, posts/bm.conf. BM comes with a script in tools/ to help you transition from v3 to v4, but really it's as simple as moving your configuration file. After you've moved it, you may delete the include directory. It should be empty.

The other major change is themes! Themes allow you to quickly change the look of your website. They can easily be shared as all the important bits and pieces are in one directory per theme. Here's the "terminal" theme that I created and will officially support in addition to the default theme.

terminal theme

For information how how to set your theme, see here. For information about creating your own theme, see here. It's very easy, especially if you start out copy/pasting an already good one.

Other new features

Page signing was added. Now, given a gpg fingerprint, BM will automatically cryptographically sign all output files (even the CSS!) and leave a note in the footer saying so in officially supported themes.

signature note

(Ignore the version number, this was added in v4.0.0. I should probably decide something about "in development" versioning...)

If page signing is enabled, then /pubkey.gpg will also be automatically generated with the public key used for signing.

Licensing your content has been made easier. A new config option, LICENSE_TEXT, was added. The contents of it will be placed verbatim in the

Read the entire post

BM v3.0.0 is Released

Posted on 16 Jan 2017 by Matt Traudt


Today I've released a new major version of BM, consisting of about 140 commits! See the changelog for a summary of all the changes, and please report issues at the issue tracker. Here's the important and exciting highlights.


make cannot be called by the user anymore as BM needs to setup the environment for it. It probably should have never been called by hand, and hiding the Makefile in v3.0.0 further discourages manual make calls.

Post URLs have changed, but probably won't do so again for a while--if ever--as this is quite rude of me to do. Now post URLs are limited to the first three words of the post title plus the ID. Before it was all words of the title.


Permalinks have been added. This was prompted in part by the previous change. If the option for it is enabled (which it is by default), a little permalink will be added in every post's header. Permalinks consist soley of a post's ID, so they will never change so long as you don't manually change a post's ID!

BM can optionally make the source post files available for download by your readers. If the option is set, not only will /posts/foobar-12345678.html be generated as usual, but /posts/foobar-12345678.bm will as well, the latter being an exact copy of the file you edit.

A 404 page has been added. Special webserver configuration is required to get the most out of it. See the wiki.


This release took a very long time. It introduced many backend changes, most concerning a major design change: move as much dependency logic into the Makefile as possible. Before the majority of BM's logic was in three large scripts. Now

Read the entire post

Don't Debug with Onion.to

Posted on 02 Dec 2016 by Matt Traudt

Last upated 02 Mar 2017 at 4:55 pm

This also applies to onion.cab onion.city, onion.direct, and any onion domain that does not end in exactly .onion. These are called Tor2Web proxies and they can be very dangerous if you doesn't know how they work.

Read the entire post

VPN + Tor: Not Necessarily a Net Gain

Posted on 12 Nov 2016 by Matt Traudt

Last upated 02 Dec 2016 at 6:57 pm

So many people share the advice to use a VPN in conjunction wtih Tor, usually by way of placing the VPN between the user and her guard node (connecting to Tor through a VPN). More rarely, the advice is given to place the VPN between her exit and her destination (connecting to a VPN through Tor). On the surface, these ideas sound good, or at least not bad. The first one especially sounds like it must help. More encryption is always better, right?

This post will discuss my reasoning for why using a VPN with Tor is not the obvious security gain that people make it out to be. Users may not lose any safety by adding a VPN, but they certainly aren't gaining any.

Read the entire post