Matt Traudt

An onion (v3) (SAT [What's this?]) a day keeps the bad guys away | About me

About Me

Posted on 28 Aug 2016 by Matt Traudt

Last updated 11 Sep 2019 at 3:35 pm
Pinned post

I work for the Naval Research Lab doing research and development on Tor, and sometimes the Internet in general.


Peer-Reviewed Journals and Conferences

Self-Authenticating Traditional Domain Names [pdf] [code]
IEEE Secure Development Conference (SecDev 2019)
Paul Syverson and Matthew Traudt

KIST: Kernel-Informed Socket Transport for Tor [pdf] [acm]
ACM Transactions on Privacy and Security (TOPS 2018)
Rob Jansen, Matthew Traudt, John Geddes, Chris Wacek, Micah Sherr, and Paul Syverson

Privacy-preserving Dynamic Learning of Tor Network Traffic [pdf] [data]
25th ACM Conference on Computer and Communication Security (CCS 2018)
Rob Jansen, Matthew Traudt, and Nick Hopper

Peer-Reviewed Workshops

Does Pushing Security on Clients Make Them Safer? [slides] [pdf]
12th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2019)
Matthew Traudt and Paul Syverson

HSTS Supports Targeted Surveillance [pdf] [foci]
8th USENIX Workshop on Free and Open Communications on the Internet (FOCI 2018)
Paul Syverson and Matthew Traudt


Tor’s Been KIST: A Case Study of Transitioning Tor Research to Practice [pdf] [arxiv]
Technical Report arXiv:1709.01044 [cs.CR] (arXiv 2017)
Rob Jansen and Matthew Traudt


Personal: sirmatt |at| ksu d0t edu
Tor: pastly |at| torproject d0t org
Work: matthew d0t traudt |at| nrl d0t navy d0t mil
GPG 0x83BCA95294FBBB0A
Reddit: /u/system33- and /u/pastlytor. Any other username claiming to be me is lying.

Read the entire post

Stop Visiting Randomly-Generated Onion Services

Posted on 24 Jan 2019 by Matt Traudt


If you've written a script that tries to access random onion services, or all onion services in order, or something else that attempts to brute force the namespace of onion services ...

You don't realize how unlikely it is that you will ever find a working link.

Let's put that tiny number in some context. How about Powerball?

You will never find a working onion service by randomly clicking on links on my list of all onion services or by randomly generating links and trying them.

By trying you are wasting Tor network resources. This isn't a problem if you

Read the entire post

Creating Private V3 Onion Services

Posted on 19 Jan 2019 by Matt Traudt

Last updated 08 Feb 2019 at 9:29 am

This post is about v3 onion services with 56 characters in their name. For the old post for creating private v2 onion services, see here.

In that old post I talked about some of the great features of Tor onion services. The features still apply with the new onion services: they are still end-to-end encrypted, they still assure you that it is impossible for anyone to modify your traffic, etc.

Regular v3 onions fix the issue that v2 onions had where a malicious HSDir could snoop and learn about onion services that the owner literally never advertised. This is great, you no longer have to make your onion service regular authorization in order to avoid malicious HSDirs. If you never tell anyone your v3 onion address, no one will ever know it exists.

Regardless of whether you're okay with people knowing your v3 onion address or not, what if you still wanted to require people to know a secret key in order to be allowed to connect to your v3 onion service? You can do that now.

Here's how you set this up.

Read the entire post

About to use Tor. Any security tips?

Posted on 19 Jan 2019 by Matt Traudt

Last updated 25 Jul 2019 at 12:28 pm

If you're going to browse the web, use Tor Browser. Don't try to make Firefox, Chrome, or something else proxy its traffic over Tor. There is no combination of settings tweaks that produces as good of a product as Tor Browser. You will be essentially uniquely fingerprintable. You will not get Tor Browser's awesome state and traffic isolation.

The rest of this post assumes you want to browse the web.

Read Tor's suggestions on their download page.

This is where most people should stop giving concrete advice without knowing your adversary model. Nonetheless they keep going and suggest ...

Read the entire post

Don't HTTPS Your Onions

Posted on 20 Dec 2017 by Matt Traudt

Last updated 27 Dec 2017 at 2:22 pm

Unless you're an edge case (which you aren't).

Why you would want HTTPS

Let's talk about why you normally want HTTPS. Let me know if I missed something.

End-to-end encryption

You already get this with Tor.

Everything between your local Tor client (using Tor Browser? It runs Tor in the background) and the Tor client providing the onion service is encrypted. No Tor relay and no network-level adversary can tell what onion service you are visiting (which is actually better than what HTTPS-without-Tor to a regular website would get you).

If you're an onion service operator and you're at the sophistication level of taking advice from random blogs on the Internet, HTTPS doesn't help you here. If you're Facebook, Reddit, or YouTube, then you have a sizable datacenter(s) and are probably no longer running Tor on the same machines as your webservers. Unencrypted traffic may be flowing over an uncomfortable distance on your (super secure, right?) network. Maybe you want HTTPS. But you also have the resources to get a valid certificate for your onion. So do that.

Avoid men in the middle

You already get this with Tor. This is related, but distinct from the previous point.

When you connect to with HTTPS, how do you know no one is MitM'ing you? The certificate is valid, right? No big scary browser errors. For better or for worse, we trust the Certificate Authority (CA) system.

When you connect to an onion service, how do you know no one is MitM'ing you? Easy. It's impossible. The bad guy would have to be in your browser (more accurately: between the browser part of Tor Browser and the Tor process it runs in the background) or between the Tor process the onion service operator is running and the webserver it's pointing at. If you assume your Tor Browser

Read the entire post

Mosh over Tor (Except Not Really)

Posted on 18 Jun 2017 by Matt Traudt


I'm in the process of setting up a new server and I'm trying to be super ultra mega secure about it. It's running FreeBSD with some fancy security options enabled, blah blah blah, oh and I made SSH over Tor the only way to remotely access it for administration. It's a private onion service, which is super cool in itself, but since I don't mind leaking the location of this server, it is also a single-onion service. This does seem to have a positive impact on the speed and latency to the machine, but after a few weeks of managing the machine completely over Tor, I determined I wanted more usability.

My main complaint is the lack of immediate local echoing of what I type. Mosh does that, but mosh uses UDP, which doesn't work over Tor. There's two ways I could approach this. The first would actually be called "Mosh over Tor," but I ultimately went for the second as it would actually allow me to roam (another great feature of mosh).

  1. I could use socat to tunnel UDP over Tor. Create the tunnel and then mosh to localhost:some-port.

  2. Or I could authenticate over SSH over Tor and then create the actual UDP connection over the regular Internet.

So I now present to you the script I use to (not really) use mosh over Tor. It's a healthy mixture of things specific to me and hardcoded values that need changing for every use case. But it is a starting point if you would like to try your hand at (2) above too.

#!/usr/bin/env bash
SUCCESS_LINE=$(ssh $SSH_HOSTNAME "mosh-server new -i $MOSH_IP" | grep 'MOSH CONNECT')
[[ "$SUCCESS_LINE" == "" ]] && echo "failed to connect :(" && exit 1
MOSH_PORT=$(echo $SUCCESS_LINE | cut -d ' ' -f 3)
Read the entire post