The Older v2 Tor Onion Domain Name Format Is Axed In The Latest Tor Alpha Release

From LinuxReviews
Jump to navigationJump to search
Tor.png

The Tor Onion Router has had support for location hidden services with a special .onion address for a really long time. Support for .onion services was initially introduced in 2005. Tor dropped the first .onion format shortly after it was introduced and replaced it with a v2 format that is still widely used today. A new and improved v3 format was introduced in January 2015 and enjoys significant adoption. Onion service operators who haven't upgraded to using a v3 onion service will soon be forced to this year as support for the older v2 .onion format was removed with the release of Tor 0.4.6.1-alpha.

written by 윤채경 (Yoon Chae-kyung) and anonymous 2021-03-23 - last edited 2021-03-23. © CC BY

Tor-artwork-by-nacy-mushroom-kim.jpg
Tor illustration by Nancy Mushroom Kim.

The Tor v2 .onion address and service format, in use since 2005, has quite a few security-problems. It uses RSA1024 for encryption, and the addresses are made using truncated SHA1 hashes. V2 onion service addresses (not locations) are also vulnerable to discovery by malicious HSDir relays. V3 onion services are not.

The Tor developers begun working on a new and improved location hidden service format in 2015. They worked on that for 3 years before Tor 0.3.2.9 was released with a new and improved v3 address format on January 9th, 2018.

You can quickly tell what .onion service format a location hidden Tor service is using by looking at its length:

  • 3g2upl4pq6kufc4m.onion would be a v2 address (that's DuckDuckGo, btw)
  • cfida4nbhkwohqnm3egmkkco2ey3tqrukt7axssuhovwfnwd6pghcyid.onion would be a v3 address (it goes nowhere, we just made one to show you what it looks like)

The shorter v2 addresses are the ones that are being phased out. This came as a surprise to those not familiar with core tor's timeline and long term plans. This release was extra surprising to some because the changelog accidentally did not mention the removal.

The TorProject released a total plan for v2 address deprecation in July 2020. In it, they list "July 15th, 2021" as the date when v2 is to be removed from the 0.4.6.x branch and "October 15th, 2021" as the date when "We will release new Tor client stable versions for all supported series that will disable v2.".

A close-up inspection of our calendar reveals that it is, in fact, not July 15th, 2021. We are still in a time when the remnants of winter have not yet fully passed away and the mid-year festivities are still far, far out in the horizon. Yet the Tor developers removed support from v2 .onion services with the release of Tor 0.4.6.1-alpha on March 18th, 2021. This was done without updating the changelog, thus also without a notice on the blog.

The Tor project released new stable-branch versions of all the Tor clients to address two Denial-Of-Service vulnerabilities on that same day. Those stable versions (0.3.5.14, 0.4.4.8 and 0.4.5.7) are still capable of accessing services using the older v2 format.

We asked expects within the Tor developer community if the original time-table for v2 eradication from the Tor network has been changed. It appears that it has not.

"It's (0.4.6.1-alpha) an alpha, not a stable release.

Alphas aren't for regular users. I don't see a problem here except I would have expected a changelog entry."

Anonymous source in the Tor developer community

The 0.4.6 series will be ready for regular users in July and it will not support v2 onion services.

Those hosting .onion services that are only available using the version v2 format (looking at you, DuckDuckGo) should consider making v3 versions available now that there are versions of Tor in use that have dropped support for the old address format. The vast majority of human rights lawyers, political activists, intelligence agencies and others who use Tor will not be unable to reach v2 services until July 2021. Those who use git and alpha versions are already unable to use v2 services, so it would be prudent to make v3 addresses available, if they aren't already, as soon as possible.

You can watch Antonela Debiasis LibrePlanet 2021 presentation "Usable security for end-users: How Tor improves usability without compromising user privacy" to learn more about Tor and location hidden .onion services.

3.00
(4 votes)

avatar

Anonymous user #1

19 days ago
Score 0++
While it's a security improvement, it also introduces more attack vectors. It's reasonably difficult to get phished with vanity domains such as facebookcorewwwi.onion. I'm still not sure why they didn't go for .bit domains, since there was a test branch with those working perfectly.
Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.