Tor In 2020, What Changed?
Tor was published back in 2002, which means that's it's finally 18 years old. But what's the status quo of Tor?
Ohhh Tor. As of the 20th September 2020 you're finally 18 years old. So far you've been serving people all around the world really well that use your service and depend on your privacy design. Even though all different kinds of national services have tried to deanonymize your network, you mostly stood strong. But how have you grown and changed in all these years?
While I'm not going to dig too deep into the past, I'll perhaps mention some changes which are rather subjectively important to me, as well as some other stuff I find interesting, stuff I'm speculating about and my wishes for Tor in the near future.
Onion service protocol v2 vs v3
First off, probably one of the most important updates in Tor's history (even though it's relatively old by now). The change from version 2 to version 3 of the onion service protocol, but what exactly changed and what are the improvements? Glad you asked!
V3 uses SHA3/ed25519/curve25519
V3 finally replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519. As a short explanation this just means "better crypto" (as in cryptography, not cryptocurrency).
Finally a cleaner codebase
V3 finally meant a cleaner codebase. Yes, keeping your code clean and easy to read is important to maintain it and keeping it secure. Sounds reasonable, ehh? All in all a welcoming change back then, which some software projects still struggle as of today with.
Longer addresses
In the "new" v3 release onion addresses are 56 characters long. This makes it harder to brute-force addresses. In comparison, v2 onion addresses were only 16 characters long.
Tor and the "dark web" in the press
Ahhh yes, who doesn't know these spectacular headlines about Tor and the dark web. Criminals here, drugs there, child abusers everywhere. The press is still one of the most threatening things for Tor. It's often portrayed to only be used by criminals and the like, even though most people use it for regular browsing in the hope of not being tracked.
Arguably a headline that says "Infamous dark web drug dealers finally caught" than "Some people using new browser to protect their privacy". If the headlines were like that, the newspaper would most likely go broke very fast. It's generally a problem with the press, journalists and perhaps most importantly the mindset and thinking of the average folks. We always look out for drama, no matter if it's a local car crash or something of national or even international relevancy. All of this also led to the typical hacker stereotype and all the fuzz that surrounds it, but that's going to far off topic for this post here.
Tor for everybody
Finally, Tor for everybody. But what do I mean with that? Simple, after a really long time Tor "recently" became way more user friendly and got a fresh redesign. Instead of the old rather more realistically looking onion on the start page, there's finally a more modern design. If you wanna learn a lesson from Tor for your next security software, product, project or however you wanna call it, learn this.
If the result isn't user friendly and intuitive, people are either simply not gonna use it, or they use it in a wrong way. Yes I know, we are the people in infosec and we know all this, but in the end it's not about us, it's about the end user. So if the end user can't intuitively use your product, their information is at risk. This is what information security is all about in the first place, so we should be focusing as a community to be more friendly and work towards a more "inclusive" community for the people who will actually use our products in the end.
People are becoming more conscious about privacy
At least that's my observation. Thanks to Covid19, people (at least here in Germany) are getting recommendations from the government to install a Covid19 tracking app. While the app itself is absolutely fantastic, considering privacy settings and the functioning of the app in general, many people are still weirded out by the thought of installing a tracing app which is recommended by their government. Even if the app technically doesn't pose a threat to the privacy of these individuals, they at least question it. This will hopefully make a broader spectrum of people understand the value of their privacy and how they can protect it. One of these many ways being Tor.
An onion revolution
The Mozilla mega disaster
Finally, there are some changes I'm wishing for and much more for the upcoming future. I hope that the Tor project and the main developers can somehow find a way to keep the browser updated, since Mozilla laid off 250 employees this August. This of course is something really terrible for each individual developer who was affected by this, but it's even worse if you look how much everybody else is affected.
First off, Mozilla basically got no security team anymore and as far as I know, nobody anymore doing DFIR. They basically screwed over their entire security team, even though it's so important to have one.
Secondly, Chromium is becoming the standard. This is yet another terrible thing to happen. Chromium basically already has a monopoly, but since this incident it will most likely become even worse than what we ever imagined. I think nobody wants a chromium only web. We basically all want to have more diversity in the ecosystem and have a choice to choose between different things. This to me is basically the nail in the coffin to that idea.
Thirdly, Tor is dependent on Firefox. It's a disaster really, because since Mozilla has essentially no security team anymore, the people over at the Tor project will have to make up for that in their browser. While Tor is used by many, it unfortunately doesn't have "a lot" of contributors, at least not enough in my opinion to do all this extra work.
Pweh That was a quick emotional outlash. Whatsoever, let's continue with my hopes, shall we?
Tor diversity
Tor has always been stigmatized in many ways. I'm not going to go further into this, but I wanna imagine that more people start to maybe make their own personal blog, either because they can just host it from their own personal computer and don't have to buy a domain, or because they can freely talk about situations and daily life in their country. There are many more reasons as to why you would want to do this obviously. Also I wish that more websites will support WAI-ARIA, so truly everybody can use these websites.
Besides just making websites, I also hope that more services will use Tor to eventually enhance the privacy of their service. Obviously you can't just slap onion services on your software and call it a day, but I believe there's a lot of unused potential which is yet to be discovered and used. I'm not even talking about only messaging services here, it has a way wider appliance than just that.
Finally, I hope that more people are gonna start running nodes and contributing to the network. After all, Tor is dependent on the masses and the individuals. The future may not be bright right now, but hopefully it eventually will be.
Thank you for reading.