[sdwisely]

"Tor Hidden Services" are services hosted on the tor network and inaccessible outside it.

Hosts are assigned a dns name <id>.onion so clients can connect to that service.

[mirimir]

OK, I'm being picky, I know. But the .onion hostname has no relation to DNS. It's just the hash of the site's private key, truncated to 16 characters.

[kodablah]

To be more picky, it's the SHA-1 hash of the public key, truncated to 10 bytes, then base 32'd which makes 16 chars. That's only for v2, v3 is a bit different.

[mirimir]

Damn, thanks :)

I'd forgotten that :(

And yes, v3 is a huge space. That is, several orders of magnitude larger than the IPv6 space. Which is itself humongous.

Edit: Oops. Got that very wrong. Onion v3 is orders of magnitude greater than IPv6 /64. But orders of magnitude less than IPv6 overall. It's like this, I think.

onion v2: ~1.84×10^19 [16^16]

IPv6 /64: ~1.84×10^19 (which is why OnionCat works)

onion v3: ~9.35×10^27 [56^16]

all IPv6: ~3.40×10^38

[kodablah]

For anyone curious, v3 is the 32-byte ed25519 pub key, then the first two bytes of the SHA3-256 hash of the key (w/ prepended fixed string and one byte appended), then one more const byte, and then all of those 35 bytes are base 32'd to make 56 chars. Some Go code to illustrate: https://github.com/cretz/bine/blob/f33268f0843a1b2b131a4cacf.... One benefit being that the entire pub key is right there in the hostname.

[sdwisely]

Absolutely fine to be!

I actually gave it a quick thought that I was curious how the hostnames were assigned but posted right before bed.

[mirimir]

Hey :)

Many would love having DNS for .onion addresses. And there's been much talk of a .onion domain.

[bambataa]

Is it not fairly trivial to link that to you? How can you make it anonymous?

[sp332]

In normal Tor usage, the client sends a request through three chosen hops, each of which only knows the previous and next hops, so the entry node doesn't know the destination and the exit node doesn't know where the request originated. But this only hides the client, because the client needs to know the server's address to direct the exit node where to send the request. So to hide the server, there is a symmetrical setup with three extra hops on the server's side, and a published "rendezvous" address in the middle. So the server connects to the rendezvous without revealing its real IP, and the client can direct requests to the rendezvous without knowing the server's IP.

[arthurjj]

^ is the most informative comment in the whole thread.

So by 'hosting' they mean being the rendezvous address?

[sp332]

If I'm reading this right, it actually hosted the websites but its IP address was hidden. I don't know if each site maybe got its own IP on the host, because after all I'd think it would be trivial for a customer to upload some code to unmask the host's actual IP. https://web.archive.org/web/20170830191551/https://hosting.d...

[mirimir]

If the .onion host is competent, they use iptables to restrict output to the Tor process.

[mirimir]

No, by "hosting" they mean shared hosting, with multiple .onion sites on one physical server.

Each of those .onion sites would have its own Tor entry guard relays, and would negotiate its own rendezvous points. An .onion service, just like a Tor user, selects a few entry guards that it uses consistently. And gradually replaces with new ones, over some weeks. But rendezvous points get picked fresh for each client-server connection.

[Filligree]

Only if you're omniscient in the network. No single node knows what traffic it's carrying, or that the next node the traffic is meant to be sent to is the final one.

[pavel_lishin]

"Web services" are hosted on the internet and inaccessible outside it.

"Chat lines" are hosted on telephone networks and inaccessible outside it.