Matt Traudt

An onion (v3) (SAT [What's this?]) a day keeps the bad guys away | About me

About Me

Posted on 28 Aug 2016 by Matt Traudt

Last updated 19 Nov 2019 at 11:01 am
permalink
Pinned post

I work for the Naval Research Lab doing research and development on Tor, and sometimes the Internet in general.

Publications

Peer-Reviewed Journals and Conferences

Self-Authenticating Traditional Domain Names [pdf] [code]
IEEE Secure Development Conference (SecDev 2019)
Paul Syverson and Matthew Traudt

KIST: Kernel-Informed Socket Transport for Tor [pdf] [acm]
ACM Transactions on Privacy and Security (TOPS 2018)
Rob Jansen, Matthew Traudt, John Geddes, Chris Wacek, Micah Sherr, and Paul Syverson

Privacy-preserving Dynamic Learning of Tor Network Traffic [pdf] [data]
25th ACM Conference on Computer and Communication Security (CCS 2018)
Rob Jansen, Matthew Traudt, and Nick Hopper

Peer-Reviewed Workshops

Does Pushing Security on Clients Make Them Safer? [slides] [pdf]
12th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2019)
Matthew Traudt and Paul Syverson

HSTS Supports Targeted Surveillance [pdf] [foci]
8th USENIX Workshop on Free and Open Communications on the Internet (FOCI 2018)
Paul Syverson and Matthew Traudt

Other

Tor’s Been KIST: A Case Study of Transitioning Tor Research to Practice [pdf] [arxiv]
Technical Report arXiv:1709.01044 [cs.CR] (arXiv 2017)
Rob Jansen and Matthew Traudt

Contact

Personal: sirmatt |at| ksu d0t edu
Tor: pastly |at| torproject d0t org
Work: matthew d0t traudt |at| nrl d0t navy d0t mil
GPG 0x83BCA95294FBBB0A
Reddit: /u/system33- and /u/pastlytor. Any other username claiming to be me is lying.

Read the entire post

Shut up about The Hidden Wiki

Posted on 11 Nov 2019 by Matt Traudt

Last updated 22 Nov 2019 at 7:56 am
permalink

The focus/organization of this post is poor and it does not contain much technical information. You might want to skip this one.


I spent about an hour searching the web for the phrase "the hidden wiki" and collected all the resulting websites I could find that called themselves that or some slight variation of that. I searched using DuckDuckGo, Ahamia, something called OnionLand Search, and something called Tor66*.

After deduplication, I found 48 websites, of which 46 were up right now. 40 sites were onion services. 40 onion services that you can easily find that all call themselves the hidden wiki. When someone asks "hey, how do I find cool onion services?" and you respond with "look up the hidden wiki," which one are you talking about? Does it even matter? Do you even care that they will probably type "the hidden wiki" into the URL bar of Tor Browser, which defaults to searching with DuckDuckGo, which doesn't even index onion services, so they're going to visit something like thehiddenwiki.org? Is that really what you were intending?

Let's assume for a little bit that when you say "the hidden wiki," you're talking about a specific one and you have the means to easily pull it up again. It has also somehow established itself as trustworthy: it doesn't link to scams, doesn't serve you malicious JavaScript, etc. Whatever. How the hell is anyone supposed to find it? The more-secure web comprised of onion services (colloquially and stupidly referred to as "the deep web") does not yet have good search engines*. There's no good reputation tracking systems. The ones that exist look easily gameable or malicious themselves. Good results don't just rise to the top. Imposters don't get crowded out. *No one knows which "hidden wiki" you're

Read the entire post

You want Tor Browser ... not a VPN

Posted on 17 Oct 2019 by Matt Traudt

Last updated 28 Oct 2019 at 2:28 pm
permalink

In most cases.

Untruth: VPNs protect you from local network hackers

This is usually claimed in the context of open WiFi networks such as those at airports or coffee shops, and is basically correct. As long as you have a reputable VPN company and they set up their software correctly, then VPNs help.

A little.

Today, well over 2/3 of web traffic being protected by TLS and all (not scientifically determined, just a baseless claim by me) of sites worth using have and force HTTPS on clients. TLS and the CA system has its issues, but your average little coffee shop hacker is not going to be able to attack it nor convince your browser to downgrade to clear text, so you were already fine. All this hacker is going to learn is the sites that you are visiting: not your account name, not your password, and not what you do on that site.

Claims that VPNs protect your passwords or bank accounts or that they add any meaningful amount of security/privacy/anonymity in this context inside your home are bullshit.

VPN vs Tor Browser

In this context, since the VPN wasn't doing much of anything to begin with, they are essentially the same. Tor (thus Tor Browser) is in fact built correctly to disallow anyone from ever intercepting and reading the traffic between you and your guard relay. If your chosen VPN isn't (good luck figuring it out), then Tor (Browser) is better. But honestly, your VPN is probably just as good.

Read the entire post

Stop Visiting Randomly-Generated Onion Services

Posted on 24 Jan 2019 by Matt Traudt

Last updated 08 Nov 2019 at 6:17 am
permalink

If you've written a script that tries to access random onion services, or all onion services in order, or something else that attempts to brute force the namespace of onion services ...

You don't realize how unlikely it is that you will ever find a working link.

Let's put that tiny number in some context. How about Powerball?

You will never find a working onion service by randomly clicking on links on my list of all onion services or by randomly generating links and trying them.

By trying you are wasting Tor network resources. This isn't a problem if you

Read the entire post

Creating Private V3 Onion Services

Posted on 19 Jan 2019 by Matt Traudt

Last updated 08 Nov 2019 at 6:17 am
permalink

This post is about v3 onion services with 56 characters in their name. For the old post for creating private v2 onion services, see here.

In that old post I talked about some of the great features of Tor onion services. The features still apply with the new onion services: they are still end-to-end encrypted, they still assure you that it is impossible for anyone to modify your traffic, etc.

Regular v3 onions fix the issue that v2 onions had where a malicious HSDir could snoop and learn about onion services that the owner literally never advertised. This is great, you no longer have to make your onion service regular authorization in order to avoid malicious HSDirs. If you never tell anyone your v3 onion address, no one will ever know it exists.

Regardless of whether you're okay with people knowing your v3 onion address or not, what if you still wanted to require people to know a secret key in order to be allowed to connect to your v3 onion service? You can do that now.

Here's how you set this up.

Read the entire post

About to use Tor. Any security tips?

Posted on 19 Jan 2019 by Matt Traudt

Last updated 08 Nov 2019 at 6:40 am
permalink

If you're going to browse the web, use Tor Browser. Don't try to make Firefox, Chrome, or something else proxy its traffic over Tor. There is no combination of settings tweaks that produces as good of a product as Tor Browser. You will be essentially uniquely fingerprintable. You will not get Tor Browser's awesome state and traffic isolation.

The rest of this post assumes you want to browse the web.

Read Tor's suggestions on their download page.

This is where most people should stop giving concrete advice without knowing your adversary model. Nonetheless they keep going and suggest ...

Read the entire post