I know the documentation explaining why the Tor Project cannot ban illegal onion sites. Here’s a quick reference: I want some content removed from a .onion address. | Tor Project | Support
Now, on to my question: What prevents the Tor Project from removing these onion sites from the Tor directory?
There isn’t a centralized directory managed by the Tor Project. Instead, it’s more of a distributed hash table formed by every relay with the HSDir flag (currently 4776 of them, metrics.tpo shows only the first 2k).
To answer the question in the title, no, onion addresses aren’t visible to those HSDir, even though they are storing the descriptor. They only know the blinded public key, which can’t be tracked back to an onion service address (but knowing an onion service address, it is possible to compute this blinded public key). This is one of the improvement of onion service v3 against the now disappeared onion service v2 (which had shorter names).
And for the question in the message: to remove an entry, you’d need to convince/compel the operators of these relays (which are numerous, in numerous jurisdictions, and possibly not publicly known) to stop serving directory requests related to that onion service (and you’d need a modified version of tor that supports doing just that). Relays that comply could also be at risk of being considered as Bad Relays, given they don’t abide by the rules.
So removing onion services isn’t strictly impossible, however it is impossible to Tor Project, and would require cooperation from the majority of relay operators.
If you want to make this kind of things ever so slightly harder to pull off, you can learn about how to become a relay operator.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.
Since the original thread was locked, here is a follow-up question. If I understand your post correctly, a malicious relay operator could compute the blinded keys of an onion address they know and then drop the descriptor?
Does each relay use the same blinded key, or are there multiple blinded keys for one onion address?
Thanks!
a malicious relay operator could compute the blinded keys of an onion address they know and then drop the descriptor
that’s a dangerous game to play, but yes. Also that would have a limited impact, descriptors are uploaded to multiple relays, and which ones a given onion services uses changes daily.
Does each relay use the same blinded key, or are there multiple blinded keys for one onion address?
relays don’t have blinded keys. An onion service uses one blinded key at a time, which it sends alongside its descriptor to the relays that serve as its directory today. (there can actually be two blinded keys concurrently around the time they get rotated, in which case that would be 2 distinct set of relays).
Please don’t lock threads so early. Otherwise, it’s impossible to respond and continue the conversation.
The original thread: Are Onion Addresses Visible to Tor's Directory Services?
This is indeed a dangerous game that I don’t want to see played. That’s why I wanted to know how it currently works. From what I’ve learned, relay operators could argue that they didn’t know what the blinded key belonged to, which is why they didn’t delete it. So, there is at least some plausible deniability.
What are your thoughts on possible solutions for when this becomes a real problem? The simplest solution would be to publish new blinded keys more often, perhaps on different servers. It might also be possible to have the Tor team enforce marking dropped relays as malicious. Anything else?