Matt Traudt

An onion a day keeps the bad guys away | About me

About Me

Posted on 28 Aug 2016 by Matt Traudt

Last updated 19 Nov 2019 at 11:01 am
Pinned post

I work for the Naval Research Lab doing research and development on Tor, and sometimes the Internet in general.


Peer-Reviewed Journals and Conferences

Self-Authenticating Traditional Domain Names [pdf] [code]
IEEE Secure Development Conference (SecDev 2019)
Paul Syverson and Matthew Traudt

KIST: Kernel-Informed Socket Transport for Tor [pdf] [acm]
ACM Transactions on Privacy and Security (TOPS 2018)
Rob Jansen, Matthew Traudt, John Geddes, Chris Wacek, Micah Sherr, and Paul Syverson

Privacy-preserving Dynamic Learning of Tor Network Traffic [pdf] [data]
25th ACM Conference on Computer and Communication Security (CCS 2018)
Rob Jansen, Matthew Traudt, and Nick Hopper

Peer-Reviewed Workshops

Does Pushing Security on Clients Make Them Safer? [slides] [pdf]
12th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2019)
Matthew Traudt and Paul Syverson

HSTS Supports Targeted Surveillance [pdf] [foci]
8th USENIX Workshop on Free and Open Communications on the Internet (FOCI 2018)
Paul Syverson and Matthew Traudt


Tor’s Been KIST: A Case Study of Transitioning Tor Research to Practice [pdf] [arxiv]
Technical Report arXiv:1709.01044 [cs.CR] (arXiv 2017)
Rob Jansen and Matthew Traudt


Personal: sirmatt |at| ksu d0t edu
Tor: pastly |at| torproject d0t org
Work: matthew d0t traudt |at| nrl d0t navy d0t mil
GPG 0x83BCA95294FBBB0A
Reddit: /u/system33- and /u/pastlytor. Any other username claiming to be me is lying.

Read the entire post

Yes my website's onion service has changed

Posted on 19 Dec 2019 by Matt Traudt


My hosting provider went out of business.

I didn't get my onion service's keys off the box in time. Stupid. Kept putting it off like an idiot.

I took this opportunity to stop offering a v2 onion service. Now you have to use that that hot v3 goodness. Oh nooooo.

It's at http://tv54samlti22655ohq3oaswm64cwf7ulp6wzkjcvdla2hagqcu7uokid.onion now.

Like you've always been able to (but probably no one has ever done), you can verify this post was written by me by downloading this page, downloading the signature of this page by appending .asc to the URL, and using (e.g.) GnuPG. Oh and hopefully you already have my key or have a good reason to trust that the key in the footer of my website is mine. I am B7E105FC4E6D9377F89CBA4C83BCA95294FBBB0A. But the preceeding sentence is meaningless if you didn't already know that. But now I'm repeating myself. Ugh trust. Identities.

$ wget -q
$ wget -q
$ gpg --verify yes-my-websites-w6t3nxCA.html.asc 
gpg: assuming signed data in 'yes-my-websites-w6t3nxCA.html'
gpg: Signature made Thu 19 Dec 2019 07:51:10 PM EST
gpg:                using RSA key B7E105FC4E6D9377F89CBA4C83BCA95294FBBB0A
gpg: Good signature from "Matt Traudt <>" [unknown]
gpg:                 aka "Matt Traudt <>" [unknown]
gpg:                 aka "Matt Traudt <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B7E1 05FC 4E6D 9377 F89C  BA4C 83BC A952 94FB BB0A

If you're familiar with PGP you know what can be different from the above without concern. If you're not familiar with PGP, you shouldn't be trusting things because they are "PGP verified."

Shut up about The Hidden Wiki

Posted on 11 Nov 2019 by Matt Traudt

Last updated 22 Nov 2019 at 7:56 am

The focus/organization of this post is poor and it does not contain much technical information. You might want to skip this one.

I spent about an hour searching the web for the phrase "the hidden wiki" and collected all the resulting websites I could find that called themselves that or some slight variation of that. I searched using DuckDuckGo, Ahamia, something called OnionLand Search, and something called Tor66*.

After deduplication, I found 48 websites, of which 46 were up right now. 40 sites were onion services. 40 onion services that you can easily find that all call themselves the hidden wiki. When someone asks "hey, how do I find cool onion services?" and you respond with "look up the hidden wiki," which one are you talking about? Does it even matter? Do you even care that they will probably type "the hidden wiki" into the URL bar of Tor Browser, which defaults to searching with DuckDuckGo, which doesn't even index onion services, so they're going to visit something like Is that really what you were intending?

Let's assume for a little bit that when you say "the hidden wiki," you're talking about a specific one and you have the means to easily pull it up again. It has also somehow established itself as trustworthy: it doesn't link to scams, doesn't serve you malicious JavaScript, etc. Whatever. How the hell is anyone supposed to find it? The more-secure web comprised of onion services (colloquially and stupidly referred to as "the deep web") does not yet have good search engines*. There's no good reputation tracking systems. The ones that exist look easily gameable or malicious themselves. Good results don't just rise to the top. Imposters don't get crowded out. *No one knows which "hidden wiki" you're

Read the entire post

You want Tor Browser ... not a VPN

Posted on 17 Oct 2019 by Matt Traudt

Last updated 28 Oct 2019 at 2:28 pm

In most cases.

Untruth: VPNs protect you from local network hackers

This is usually claimed in the context of open WiFi networks such as those at airports or coffee shops, and is basically correct. As long as you have a reputable VPN company and they set up their software correctly, then VPNs help.

A little.

Today, well over 2/3 of web traffic being protected by TLS and all (not scientifically determined, just a baseless claim by me) of sites worth using have and force HTTPS on clients. TLS and the CA system has its issues, but your average little coffee shop hacker is not going to be able to attack it nor convince your browser to downgrade to clear text, so you were already fine. All this hacker is going to learn is the sites that you are visiting: not your account name, not your password, and not what you do on that site.

Claims that VPNs protect your passwords or bank accounts or that they add any meaningful amount of security/privacy/anonymity in this context inside your home are bullshit.

VPN vs Tor Browser

In this context, since the VPN wasn't doing much of anything to begin with, they are essentially the same. Tor (thus Tor Browser) is in fact built correctly to disallow anyone from ever intercepting and reading the traffic between you and your guard relay. If your chosen VPN isn't (good luck figuring it out), then Tor (Browser) is better. But honestly, your VPN is probably just as good.

Read the entire post

Stop Visiting Randomly-Generated Onion Services

Posted on 24 Jan 2019 by Matt Traudt

Last updated 08 Nov 2019 at 6:17 am

If you've written a script that tries to access random onion services, or all onion services in order, or something else that attempts to brute force the namespace of onion services ...

You don't realize how unlikely it is that you will ever find a working link.

Let's put that tiny number in some context. How about Powerball?

You will never find a working onion service by randomly clicking on links on my list of all onion services or by randomly generating links and trying them.

By trying you are wasting Tor network resources. This isn't a problem if you

Read the entire post

Creating Private V3 Onion Services

Posted on 19 Jan 2019 by Matt Traudt

Last updated 08 Nov 2019 at 6:17 am

This post is about v3 onion services with 56 characters in their name. For the old post for creating private v2 onion services, see here.

In that old post I talked about some of the great features of Tor onion services. The features still apply with the new onion services: they are still end-to-end encrypted, they still assure you that it is impossible for anyone to modify your traffic, etc.

Regular v3 onions fix the issue that v2 onions had where a malicious HSDir could snoop and learn about onion services that the owner literally never advertised. This is great, you no longer have to make your onion service regular authorization in order to avoid malicious HSDirs. If you never tell anyone your v3 onion address, no one will ever know it exists.

Regardless of whether you're okay with people knowing your v3 onion address or not, what if you still wanted to require people to know a secret key in order to be allowed to connect to your v3 onion service? You can do that now.

Here's how you set this up.

Read the entire post