The reality of hidden service's security

I have a, more or less, general question about the security of tor’s hidden services.

I’m asking this here, in the whonix forum, because:
a) I want to setup a hidden service with whonix

and

b) I need an answer from someone with the right expertise in this matter. So I figured that whonix developers and “hardcore” whonix users have probably this expertise.

First of all I want to clarify a few things:

• I know that nothing is or ever will be 100% secure
• I know that no one can give me an exact answer
• I know that no one, beside myself, is responsible for my actions. And only I am accountable if things go sideways.
• I am not looking for detailed technical answers.
• I am not looking for links to other articles, blogs, forums where a similar topic or question might have been discussed before
• I am reading already for months countless blogs, forums, articles, guides and so on (this includes of course whonix.org and torproject.org)
• I am new to using tor (tbb, tails, whonix, hs), linux, pgp, btc etc. (like I said, i started a few months ago)

So what I need is an educated guess / opinion from qualified people. (i.e. I would consider whonix developer, tor developer, tails developer, qubes developer, eff-people, ccc-people as qualified. (Of course it is not limited to this crowd - those are just examples to give you an idea what I’m talking about.)

The Question:

How secure (in the meaning of traceable) is a hidden service? (which is run or maintained in north america or western europe)

The problem(s):

• even after months of research, reading and experimenting with (and about) tor, whonix, tails, pgp, hidden services, anonymous surfing, emailing and so on - I’m stll not sure how secure a hidden service is (properly setup of course).
• this is because:
  - lots and lots of information is way to technical for a “noob” to understand
  - lots of information is pretty outdated
  - blogs, media, news and tech-websites spread wrong and “half-true” information i.e. “Researcher found out that countless hidden services can be de-anonymized within minutes” - “tor is broken - tor-user can now be easily tracked down” and so on…

I’m splitting my question into two parts:

First part:
Has a hidden service been taken down / de-anonymized / its owner been arrested because of a flaw within tor or a flaw in hidden services in general?

so far i couldn’t find one report, article or whatever which clearly states that a 3-letter agency or whoever was able to arrest someone or take down a hidden service because they “cracked” tor or something like that.

Let’s look at the darknet markets as an example:
There have been quite some “busts” of markets and dealers since the famous take down of the silkroad. BUT as far as I could find out, none was because they were able to track down a hidden service or to “crack” tor to find out who is the owner of a hidden service.
It looks to me that all those busts and arrests were possible just because of “good ol’ fashioned police work” i.e. undercover agents infiltrating markets and communities, bad opsec of those people who got arrested (including “stupidities” like advertising your own darknet market with your official email (the alleged founder of the original silkroad), “snitching” and people who tell on other people when they are interrogated to get off the hook or a reduced sentence…

Also here on whonix.org (somewhere) it says that there has no known “exploit” been used in “the wild” to de-anonymize a tor hidden service… also on the tor website(s) I read that all those ways to track down / trace back/ de-anonymize a hidden service are all just “theories”… research papers based on limited experiments in a controlled environment.

I think the take down and arrests connected to freedom-hosting were also caused by human-errors of at least one person involved in freedom-hosting and not because they actually traced down the sever locations through technical means (hacking or traffic-correlations etc.)

So if that is still true, that would mean that a hidden service itself is damn secure to own/maintain/run. and that, at least in the last 2-4 years, no hs was really “cracked”.

Is this correct?

Second part:
how risky would it be for ME to run my own hidden service from at home with whonix?

Like I said before, I need a serious, educated guess from qualified people… I’m NOT looking for an official confirmation … so please no standard “disclaimer-answers” like “don’t rely on tor or whonix if you really need anonymity”… no one needs to be worried to get “sued” or whatever ;)… we are talking just in theory and just about educated guessing…

Further information about what I want to do, how and my situation:

I want to run a hidden service with whonix from “home”.

I would:

• Be located either in north America or western Europe.
  In a big city i.e NYC, L.A., Paris, Berlin, London…
  So that would mean I’d be “surrounded” by quite an amount of other tor users, a reliable power-grid, and decent constitutional rights framework, more or less effective privacy laws, decent citizen-rights and so on…
  but of course also with the illegal activities of intelligence-services (Europeans and Americans) and unconstitutional behavior of governments (like the behavior of the u.s. government towards whistle-blower and the behavior of European countries towards Snowden and the wikileaks founder Assange).

• On a “clean” host" computer (means: without malware, viruses ect.)
  No compromised software or hardware to begin with.
  (we assume build in hardware backdoors don’t exist…or at least not in my computer)

• I’m not already under “targeted surveillance”
  … just under the “normal” mass surveillance" everyone is a victim of and a “little bit” more suspicious" because of a regular use of tor… which puts me in a group of million other tor user in north America or western Europe… so a bit more of a “possible suspect” than the 80 year old granny who hasn’t even a PC but still far away from being really interesting for “them”.

• My activity would really fast draw attention.

• Staying anonymous is essential! and “they” would really fast try to de-anonymize me.

• My opsec would be flawless

• im a linux and tor noob

• I’d use nested VPN’s (without money trace)

So, what are the educated guesses, based on facts and knowledge about the risks for me to run a hidden service with whonix from home?

(Fyi: I have only two options. To go through with it or to drop it. If I go through with it, I have to use a tor hs anyway, the question is doing it myself or with a 3rd party host (who would have my private keys) or a vps (and the host could get easily access to my hs and private keys). A dedicated server is too expensive for now and maybe as a noob not really ideal anyway. Also doing things in person is not an option. that would require lots of time, lots of traveling and lots of money. Dropping it isn’t really an option as well, unless it’s like “Drop it or …”, in this case I would have to drop it, of course. But this would be really really bad, because this thing is about a really serious worldwide issue, I prepared for 5 years on this and as far as I know, no one is at the moment actively and effectively working on this and time is really of the essence in this matter.)

After you made your research, I am not sure what else I could contribute. There are too many assumptions, variables, known and unknown unknowns for any more definitive statements. Too many people involved. Everyone needs to trust some people.

The credo “the more effort, the safer you can be” still applies. And I don’t see any way around that. Hidden services, if you can, host them on a third party location so that yourself can stick to using Tor as a client. And depending on how often you need to administrate the server, you can also combine with non-Tor related anonymity. Such as going far away, buying a new notebook, using a free wifi and setting up the server from there. Not very practical, but the more secure, the less practical unfortunately also applies.

Of course is it impossible to make a definitv statement. That’s why I asked for an educated guess ;).

So I assume, that I was right about that to this day, there is no known exploit being used in real life to trace a Hidden Service back to it’s location? And all the “famous” busts (SilkroadI-III, FreedomHosting, Babylon, and what not) did all happen because of bad opsec, people telling on other people and stuff like that, but not because a “hole” in the security of Tor’s Hidden Services, right?
(I’m just talking about the known events reported by the media…of course we don’t know what abilities some secret agencies have - but I would guess they would “bust” some people now and then too, just to give the public some sort of justification for getting billions for their budgets and violating the constitution and human rights (i.e. the right of privacy).

And if such an exploit or technic doesn’t exist yet, it should be pretty save to run a Hidden Service from home and with whonix. At least temporary. Of course only if the operator “won’'t shoot his own foot” and isn’t the only one in his country (or area) using Tor or something to obviously hide his only activities (i.e. VPN). Like I described before in the scenario.

I mean there are so many darknet markets (countless) and other illegal (Hell II or III) and nasty illegal Hidden Services. So isn’t some sort of prove that Hidden Services are damn secure? Otherwise the authorities would have every week a field day with taking down a bunch of Hidden Services and arresting people.

Of course those “pros” don’t run their sites from home. still there servers seem to be “untraceable”.

So, you Patrick, would also say, like many others, that when it’s critical, you better go with a server hosted by a third party… and since you are definitly an expert, I will follow your recommendation.
Thank you.

Can’t make an educated guess also. Same reply as before applies.

Yes, to my understanding also, the famous busts happened due to poor opsec.

The best reply I know on this topic is the first response to the question posed at this link:

http://www.cryptome.org/2014/11/what-is-good-crypto.htm

How secure are Tor hidden services? They are as secure as any other technology–which is to say…

“In general, no person can independently audit all security-critical parts of any system. Thus, security relies on trust. You trust chip designers, design IP vendors, EDA tools vendors, the chip fabricator, the fab employees making masks, the supply chain of your system integrator, the system integrator itself, the OEMs who write microcode and firmware, the distribution chain from those OEMs to your actual device, the software vendor, the distribution chain from the software vendor to your actual device, the supply chain of that vendor (was their compiler compromised?), … and the list goes on. In all, you must, whether wittingly or not, trust literally millions of people and companies, and a violation of that trust at any one point can destroy your entire system security.”

Here is an educated guess to your question:

- My activity would really fast draw attention. - Staying anonymous is essential! and "they" would really fast try to de-anonymize me. - im a linux and tor noob

DO NOT RISK DOING THIS FROM YOUR HOME!

While there is not a known “exploit” or “crack” to hidden services themselves, there are systemic vulnerabilities and some highly technical configuration risks with operating hidden services that can lead to de-anonymization.

First off, as has been discussed by core Tor people on their blog and site recently, hidden services technology is currently outdated and weaker than it should be. They are currently developing brand new stronger hidden services technology for the future that will be much better and shore up some potential security risks.

However, a more fundamental issue is that your hidden service’s server location could be de-anonymized through active traffic analysis attacks. I think I remember this approach being used in some of the high profile takedowns/busts of hidden services. Where your hidden service server is just there, live, accepting traffic and sending out responses. So a government can “ping” your server all day using different patterns of traffic, and then use its “mass internet surveillance” network of ISPs to see where the traffic flows in the world, narrowing you down to specific regions, then cities, then ISP, then customer account. And doing things like having ISPs momentarily turn off your internet, reset your modem, slow your traffic, and more to watch and confirm it is your network that their “pings” are ultimately going to. Stuff like that, combining active and passive traffic analysis, based on your Whonix HS server just sitting there responding to requests.

The traffic analysis attack on hidden services is the main reason not to do this from home or link your identity to the server in any way.

To do it “safely”:

• Get a new laptop and external wifi card, purchased anonymously with cash, no shipping to your home, install and use Whonix on it

• Only ever power on that wifi away from your home and connect through other people’s anonymous open wifi

• Only ever connect via Tor to your remote server and don’t do normal personal web browsing and other personal stuff on this laptop

• A takeover of your server could inject your admin laptop with malware to send beacon your identity, so this while isolation of your laptop to administer remote server is necessary too

• Get totally anonymized cryptocurrency

• Purchase foreign VPS or dedicated hosting account through Tor in a country with decent laws and non-compliance with your country

• Install VM system on server and install Whonix on VM system

• Host hidden service in Whonix-Workstation on your server

• This setup may be pretty hard for a linux noob so maybe hire a freelancer to produce step by step instructions and security measures to employ, but don’t have untrusted freelancer access your live server, just provide reproducable instructions

• Learn about advanced Tor settings and OS and web sercurity

• Ensure your software is up to date and not using vulnerable versions (often distros like Debian offer older vulnerable versions of virtualbox, webservers and such so manually installing newer versions might be necessary)

• Think about encryption on server so it is harder for hosting company to become suspicious and turn against you

• Have a consistent remote backup system via Tor to another hidden service server so that if your server gets compromised you can get the data and relaunch it on another server

• Your hidden service private key could get stolen by a hacker and control of your hidden service taken away from you this way, so I would make multiple onion addresses and publish a gpg signed statement of alternative onion urls for users to check if this one ever gets hacked…the next generation hidden services are going to have the ability for offline private keys, but currently the private key must be on the server and available for theft

• Always assume your hidden service server has been hacked into and your local administration laptop has been hacked into via malware placed on your hidden service server and don’t put any personal information on either machine unless you are okay with such information being known to all

Again… DO NOT RISK DOING THIS FROM YOUR HOME!

Good luck!

On another note.

If you were running a clean Macbook with VM and Whonix, VPN paid with cryptoC, no personal info, only to be used away from home.

Could you use a mobile 3/4g dongle? You can get Pay as You go in my country. And they’re cheap, so you could get several and use them as ‘burners’ changing all the time.

I know they give away your location due to GPS, but if you moved around, say in a car in a random way when access your anonymous set up, would that work better than Cafes with Wifi. Would certinly be quicker than most Cafe’s wifi.

[quote=“PS1, post:7, topic:1312”]On another note.

If you were running a clean Macbook with VM and Whonix, VPN paid with cryptoC, no personal info, only to be used away from home.

Could you use a mobile 3/4g dongle? You can get Pay as You go in my country. And they’re cheap, so you could get several and use them as ‘burners’ changing all the time.

I know they give away your location due to GPS, but if you moved around, say in a car in a random way when access your anonymous set up, would that work better than Cafes with Wifi. Would certinly be quicker than most Cafe’s wifi.[/quote]

That is not as secure of a setup.

It may work for something more casual than what the OP described though.

Your weaknesses are:

Macbook hardware and OS screwing you. These companies don’t have good trackrecords or motives. Rather use more freedom respecting open source stuff.

Mobile ISP, independently or with gov, being able to de-anonymize you pre-internet with network and behavioral analysis. Burners won’t solve this, only maybe help a little.

Mobile ISP dongles could hack your computer. Qubes could help to mitigate this.

Basically you are increasing your personal convenience at a cost of some of your security.

If risking your life/freedom is on the line, then probably not worth it.

Depends upon your own risk profile in life, as to whether you can tolerate your activity being de-anonymized or not. This determines how far you need to go to establish stronger security.