| There are legit hidden services indeed, but there a question if the legit ones actually need the protection TOR provides... The sad truth currently is that the people who use TOR the most are the people who either do not need it's protection or do not deserve it. As much as we like to play the victim card especially in light of the NSA scandals the truth is that people in free countries don't really get into trouble for doing shit over the internet even when it's illegal (to some extent). And no i don't count the FBI knocking on your door if you post on facebook that you are going to kill Obama, or the police arresting that dutch teenage retard that tweeted she put bombs on 3 flights and told TWA(?) to figure out which a violation of privacy or civil liberties, those people deserved what they got. On the other hand if you live in a country where legitimate activities taken over the internet can land you in jail or worse then even being suspected of using TOR will get you in trouble. Even with all the improvements on masking TOR traffic it is still fairly easily identifiable, heck every entry level internet filtering appliance can block TOR these days with very high degree of accuracy even when the user doesn't use public access nodes. So TOR doesn't and it's current state cannot provide protection to anyone living under a regime that does massive deep packet inspection of internet traffic(and yes i know the US technically qualifies for that too, but they are still not N. Korea, Iran, China, or Saudi Arabia). The 2nd problem that TOR has is the fact that early adopters of such technologies tend to be criminals, the same was true with early P2P networks. Heck I still remember trying to download Shrek of Kazaa or eDonkey and getting a ton of pedo pictures instead, and that was very common in the early 2000's... But this was true to everything from cellphones which back in the 90's meant you were either a business douche or a drug dealer, disk and phone encryption, and offshore bank accounts. P.S.
Currently i actually have less trust in hidden services than i do in normal secure websites, after Facebook brute forced their address (https://facebookcorewwwi.onion/) and according to them with relative ease.
And since anyone holding the private key for the hidden service can update the directories and route all new traffic to them i think it's not farfetched that a sufficiently funded agency or an individual can do the same.
So while i still consider onion routing to be relatively safe form ease dropping, i consider all hidden services of sufficient importance to be compromised. |