I work for the Naval Research Lab doing research and development on Tor, and sometimes the Internet in general.

Publications

Peer-Reviewed Journals and Conferences

Self-Authenticating Traditional Domain Names [pdf] [code]
IEEE Secure Development Conference (SecDev 2019)
Paul Syverson and Matthew Traudt

KIST: Kernel-Informed Socket Transport for Tor [pdf] [acm]
ACM Transactions on Privacy and Security (TOPS 2018)
Rob Jansen, Matthew Traudt, John Geddes, Chris Wacek, Micah Sherr, and Paul Syverson

Privacy-preserving Dynamic Learning of Tor Network Traffic [pdf] [data]
25th ACM Conference on Computer and Communication Security (CCS 2018)
Rob Jansen, Matthew Traudt, and Nick Hopper

Peer-Reviewed Workshops

Does Pushing Security on Clients Make Them Safer? [slides] [pdf]
12th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2019)
Matthew Traudt and Paul Syverson

HSTS Supports Targeted Surveillance [pdf] [foci]
8th USENIX Workshop on Free and Open Communications on the Internet (FOCI 2018)
Paul Syverson and Matthew Traudt

Other

Tor’s Been KIST: A Case Study of Transitioning Tor Research to Practice [pdf] [arxiv]
Technical Report arXiv:1709.01044 [cs.CR] (arXiv 2017)
Rob Jansen and Matthew Traudt

Contact

Personal: sirmatt |at| ksu d0t edu
Tor: pastly |at| torproject d0t org
Work: matthew d0t traudt |at| nrl d0t navy d0t mil
GPG 0x83BCA95294FBBB0A
Reddit: /u/system33- and /u/pastlytor. Any other username claiming to be me is lying.

The focus/organization of this post is poor and it does not contain much technical information. You might want to skip this one.

I spent about an hour searching the web for the phrase "the hidden wiki" and collected all the resulting websites I could find that called themselves that or some slight variation of that. I searched using DuckDuckGo, Ahamia, something called OnionLand Search, and something called Tor66*.

After deduplication, I found 48 websites, of which 46 were up right now. 40 sites were onion services. 40 onion services that you can easily find that all call themselves the hidden wiki. When someone asks "hey, how do I find cool onion services?" and you respond with "look up the hidden wiki," which one are you talking about? Does it even matter? Do you even care that they will probably type "the hidden wiki" into the URL bar of Tor Browser, which defaults to searching with DuckDuckGo, which doesn't even index onion services, so they're going to visit something like thehiddenwiki.org? Is that really what you were intending?

Let's assume for a little bit that when you say "the hidden wiki," you're talking about a specific one and you have the means to easily pull it up again. It has also somehow established itself as trustworthy: it doesn't link to scams, doesn't serve you malicious JavaScript, etc. Whatever. How the hell is anyone supposed to find it? The more-secure web comprised of onion services (colloquially and stupidly referred to as "the deep web") does not yet have good search engines*. There's no good reputation tracking systems. The ones that exist look easily gameable or malicious themselves. Good results don't just rise to the top. Imposters don't get crowded out. *No one knows which "hidden wiki" you're

In most cases.

• Untruth: VPNs protect you from local network hackers
  • VPN vs Tor Browser
• Untruth: VPNs protect you from getting malware
  • VPN vs Tor Browser
• Untruth: VPNs prevent tracking done by websites and big Internet companies
  • VPN vs Tor Browser
• Torrenting copyrighted media
• Anonymizing non-web browsing traffic
• Avoiding geo-blocks
• VPN vs your ISP
• VPN vs a government
• Additional stuff
  • Reading
  • Thoughts

Untruth: VPNs protect you from local network hackers

This is usually claimed in the context of open WiFi networks such as those at airports or coffee shops, and is basically correct. As long as you have a reputable VPN company and they set up their software correctly, then VPNs help.

A little.

Today, well over 2/3 of web traffic being protected by TLS and all (not scientifically determined, just a baseless claim by me) of sites worth using have and force HTTPS on clients. TLS and the CA system has its issues, but your average little coffee shop hacker is not going to be able to attack it nor convince your browser to downgrade to clear text, so you were already fine. All this hacker is going to learn is the sites that you are visiting: not your account name, not your password, and not what you do on that site.

Claims that VPNs protect your passwords or bank accounts or that they add any meaningful amount of security/privacy/anonymity in this context inside your home are bullshit.

VPN vs Tor Browser

In this context, since the VPN wasn't doing much of anything to begin with, they are essentially the same. Tor (thus Tor Browser) is in fact built correctly to disallow anyone from ever intercepting and reading the traffic between you and your guard relay. If your chosen VPN isn't (good luck figuring it out), then Tor (Browser) is better. But honestly, your VPN is probably just as good.

If you've written a script that tries to access random onion services, or all onion services in order, or something else that attempts to brute force the namespace of onion services ...

You don't realize how unlikely it is that you will ever find a working link.

• There's about 100,000 v2 onion services that are running right now (as of Jan 2019)
• Of those, an unknown fraction are listening on port 80/443 (web sites). The number seems to be no more than 10,000 based on other peoples' attempts at indexing onion services, but let's assume it's all 100,000.
• There's 1,208,925,819,614,629,174,706,176 possible v2 onion services
• Thus there's an 100,000 / 1,208,925... == 8.27*10^(-18)% chance that any v2 onion service you generate will be up and responding. AKA a 0.00000000000000000827% chance.

Let's put that tiny number in some context. How about Powerball?

• The odds of winning the Powerball jackpot is 1 in 292,201,338 (3.42*10^(-7)%)
• This means you are approximately 100,000,000,000 times more likely to win the next Powerball jackpot than the next random v2 onion service you click on/generate/whatever actually being up and responding
• Said another way, if you could check 100 billion v2 onion services by the time there's another Powerball drawing (say ... in a week), you have an equal chance of finding one working v2 onion address as you have of winning the Powerball jackpot. This means checking 165,343.9 onion services per second, every second for the next week in order to have a 1 in 292 million chance that one of them is up and responding.

You will never find a working onion service by randomly clicking on links on my list of all onion services or by randomly generating links and trying them.

By trying you are wasting Tor network resources. This isn't a problem if you

This post is about v3 onion services with 56 characters in their name. For the old post for creating private v2 onion services, see here.

In that old post I talked about some of the great features of Tor onion services. The features still apply with the new onion services: they are still end-to-end encrypted, they still assure you that it is impossible for anyone to modify your traffic, etc.

Regular v3 onions fix the issue that v2 onions had where a malicious HSDir could snoop and learn about onion services that the owner literally never advertised. This is great, you no longer have to make your onion service regular authorization in order to avoid malicious HSDirs. If you never tell anyone your v3 onion address, no one will ever know it exists.

Regardless of whether you're okay with people knowing your v3 onion address or not, what if you still wanted to require people to know a secret key in order to be allowed to connect to your v3 onion service? You can do that now.

Here's how you set this up.

If you're going to browse the web, use Tor Browser. Don't try to make Firefox, Chrome, or something else proxy its traffic over Tor. There is no combination of settings tweaks that produces as good of a product as Tor Browser. You will be essentially uniquely fingerprintable. You will not get Tor Browser's awesome state and traffic isolation.

The rest of this post assumes you want to browse the web.

Read Tor's suggestions on their download page.

This is where most people should stop giving concrete advice without knowing your adversary model. Nonetheless they keep going and suggest ...

• Adding a VPN
• Disabling JavaScript / setting the security slider to its highest setting
• Using Tails or Whonix
• Not logging in to "real" accounts over Tor
• Testing your fingerprint
• Adding extra extensions to Tor Browser