1. 51

The internet needs more hidden services, and Lobsters is now directly accessible via Tor at its official hidden service address:

http://lobsters3ik6yqwj.onion

In the tradition of OpenBSD network drivers, this was posted through the new hidden service.

  1.  

  2. 7

    Whats the upside of accessing lobsters via a tor hidden service versus accessing lobster.rs over tor?

    1. 7

      I won’t be able to see your IP address.

      1. 2

        Is it possible for onion sites to support SSL (I suppose a CA will sign anything if you pay?)? Currently it seems like using Tor to access https://lobste.rs/ would be a better choice.

        1. 4

          Facebook got one but they are special. No widely-accepted CAs have open registration for .onion addresses, AFAIK.

          Using Tor to reach lobste.rs requires an exit node in the middle to pass traffic between it and this server, so having a hidden service directly in the network just eliminates a source of contention. Despite not having an https scheme, the .onion URL is still completely encrypted from your browser to the lobsters server.

          1. 1

            I realized that after stepping away from my desk, thanks. Guess I’m used to always checking the URL bar when expecting SSL via the browser.

            1. 1

              I think TorBrowser should show something different for .onion URLs. The regular globe icon instead of a padlock does seem to promote that .onion URLs are less secure than an https URL that exits out of Tor.

        2. 1

          Wait, are you implying that you can see the IPs of users accessing lobste.rs via Tor? I’m curious about your deanonymization techniques…(and I suspect the NSA would be too).

          1. 1

            No, as tedu said, I misread artem’s post. If you access lobste.rs via Tor through an exit node, I just see the exit node’s IP.

        3. 4

          Besides evil jcs attacks, oppressive tech news hating regimes won’t be able to block access to the site. I wish the previous statement were as absurd as it sounds.

          (Actually, I think both jcs and I misread your question. Accessing the regular site over tor would work too, and also wouldn’t reveal your IP.)

          1. 2

            It never leaves Tor, preventing tampering from the ISP or other people

          2. 7

            Is this why all my logins expired?

            1. 5

              No, that was the upgrade to Rails 4.1.

            2. 5

              I recall at some point stumbling upon an extension or some sort that had a list of public hostnames (lobste.rs) and hidden services (lobsters3ik6yqwj.onion), and redirecting the public hostname to the hidden service. Kind of like HTTPS Everywhere, but for Tor.

              Anyone know what it is called? Or am I just making that up?

              1. 4

                Thanks for doing this, @jcs!

                1. 3

                  Doesn’t the fact that you need to be invited by someone to the site weaken security somewhat? You can always trace back to someone who knows who you are despite tor anonymity, no?

                  1. 1

                    Privacy doesn’t always equal anonymity. You don’t need to be completely anonymous to the endpoint to gain privacy, you just need to be anonymous to everyone and everything in between.

                    I personally think sites like these benefit from users having some kind of identity, which at this point just means that someone else is willing to say you are a person (or their sockpuppet).

                    Certainly there are many places and websites where users don’t need any identity and anonymity is important, but from my experience in having the “public invitation request” functionality enabled, it just brought in spammers and people that didn’t care about the community.