[ohmygodel]

My understanding is that Facebook runs an onion service (aka hidden service) primarily because it allows them to easily manage their anonymous users separately from other users. "Management" might include separate security logic to identify fraudulent login attempts and avoiding the accidental blockage that occurs sometimes via automated blacklisting of Tor exits. They also get the benefits of a secure name lookup (unlike DNS), and, as you mention, end-to-end encryption that doesn't rely on the Certificate Authority system.

Other "notable" onion services include OnionShare [0], which sets up an onion service to enable simple anonymous file sharing, Ricochet, which is a P2P anonymous chat service that sets up an onion services for each chat participant, and SciHub [2], which provides most academic papers for free. Each of these has been widely reported in the mainstream press.

[0] https://onionshare.org/ [1] https://ricochet.im/ [2] https://scihub22266oqcxt.onion

[ryanlol]

>My understanding is that Facebook runs an onion service (aka hidden service) primarily because it allows them to easily manage their anonymous users separately from other users. "Management" might include separate security logic to identify fraudulent login attempts and avoiding the accidental blockage that occurs sometimes via automated blacklisting of Tor exits.

I'd be shocked if they didn't have Tor exit tracking already, literally everyone else in the space does.

>They also get the benefits of a secure name lookup (unlike DNS), and, as you mention, end-to-end encryption that doesn't rely on the Certificate Authority system.

The security of the name lookup relies on the crypto, but even without secure name lookups an attacker would still have to break TLS to defeat HSTS.

>Other "notable" onion services include OnionShare [0], which sets up an onion service to enable simple anonymous file sharing, Ricochet, which is a P2P anonymous chat service that sets up an onion services for each chat participant, and SciHub [2], which provides most academic papers for free. Each of these has been widely reported in the mainstream press.

Onionshare and Ricochet aren't widely used, scihub is still accessible over the clearnet.

[ohmygodel]

I'm not sure what you're arguing any more. Your argument started as that only Silk Road was a "notable" onion service, which you appeared to define as having "publicity". Then the argument became the Facebook doesn't really need to run an onion service. Now the argument seems to that there may be some reasonable alternatives to running an onion service for some notable use cases and that few people use the other notable onion services (and I don't see how you can be so sure of that - I and many people I know use them not infrequently).

But I think your original point has been effectively rebutted: there are several notable onion services other than Silk Road, and some of these are quite beneficial.

[ryanlol]

>Your argument started as that only Silk Road was a "notable" onion service

I never made such an argument, I said the dark net markets are as they're really the only sites receiving large amounts of .onion traffic. (Besides of course botnets)

> which you appeared to define as having "publicity".

We're talking about onionland in the media here, publicity seems like it would be one of the metrics that a journo would use when selecting notable examples of onion sites.

>Then the argument became the Facebook doesn't really need to run an onion service.

This seems to be a case of selective reading. I specifically stated,

>Facebook has no need to hide their origin servers, so their use of .onions is symbolic at best (besides as a TLS alternative) as any tor users would be better off browsing the clearnet version of the site.

I've highlighted the relevant part for you.

Lets say someone even manages to find the facebook onion address, which isn't a particularly easy task since seemingly the only part of their site where it's listed is the blog post mentioning it. For example https://www.facebook.com/help/ is of no use.

Now, lets say someone that's already using facebook over tor finds this address. Do you think they'll switch to it over facebook.com? I didn't, and I seriously doubt very many others did either. All it does is massively increase load times, modern browsers will already have FB certs pinned.

>But I think your original point has been effectively rebutted: there are several notable onion services other than Silk Road, and some of these are quite beneficial.

I'll agree on the other notable onion services, for example AlphaBay is far bigger and better than SR ever was.

[cyphar]

> The security of the name lookup relies on the crypto, but even without secure name lookups an attacker would still have to break TLS to defeat HSTS.

Which nobody enables for most websites because it's insane to pin your certificate if you're not Google.

> Onionshare and Ricochet aren't widely used, scihub is still accessible over the clearnet.

"clearnet" doesn't mean anything. Just because you can access it using DNS doesn't mean that the fact it has an onion address is irrelevant. Onion addresses provide several security benefits, and only one of them is "anonymity of the server". As for "not widely used", you appear to have redefined "only notable hidden services". Notable means "important" or "significant". I consider Ricochet to be quite significant.

[ryanlol]

>Which nobody enables for most websites because it's insane to pin your certificate if you're not Google.

Why?

>"clearnet" doesn't mean anything. Just because you can access it using DNS doesn't mean that the fact it has an onion address is irrelevant.

I think it kind of does when you can just type in "facebook.com" instead of "facebookcorewwwi.onion" and receive a significantly faster browsing experience while not missing out on anything. That's what most users will do. Not only that, the onion is hardly documented (the only mention I could quickly find on facebook.com was in a blogpost!)

> Onion addresses provide several security benefits, and only one of them is "anonymity of the server".

I am well aware, none of which are worth the extra 3 hops.

>As for "not widely used", you appear to have redefined "only notable hidden services". Notable means "important" or "significant". I consider Ricochet to be quite significant.

Ricochet is experimental, unreviewed and nobody should really be using it for sensitive communications at this time.

And why is ricochet particularly significant? It's just glorified torchat, not bitcoin.