3

I read about the Silk Road incident and wondered if it's possible for Tor relays to physically host services and distribute the load of executing the service across the network, while the service and the operator's identity remain anonymous.

That way, the service is decentralized and does not lead to the person's real identity.

I would like to create a PoC, but I'm not completely sure if it's theoretically secure enough to accomplish this, so I'd like to run it by this forum.

Hosting "web" hidden services with static files (such as html, css, js, etc) would be the easy part; it's exactly like p2p file sharing, but

how could it be possible for Tor relays to execute the application code?
how can the web application hold stateful information for users?
can data be tampered by one of the many clients hosting the web service?
is it possible for Tor to support the load balancing?
how can the website be updated by the developer?
is there any other problem that I'm not aware of?

Kindest Regards

user646658
  • 41
  • 4

4 Answers4

3

You could store the state in something similar to BitMessage or Kademlia DHT.

Use some kind of a distributed database (like FreeNet) to store the static content (images, html templates, scripts and such).

Then you would need a client program that is basically a local server to retrieve the data, and process it (in a way that ensures the scripts don't leak or do anything otherwise nefarious, so no network access or access to local information). You can stick it in some kind of a virtual environment/jail. And finally make it accessible to a browser by hosting it locally (this browser should probably have the javascript turned off, or itself be a virtual environment).

If you want the data to be publicly writeable then you would probably want to setup some kind of anonymous public/private key signing.

The main problem is the time. BitCoin takes up to 10 minutes to authenticate a transfer. So there would be a while for your state change to propagate through the distributed network.

You also have to protect against spam. How do you ensure that I don't create a billion accounts and clog up the network. You could require proof-or-work similar to NameCoin. Or alternatively use a subscription based service (my node will only process and store content of users I'm interested in, FreeNet does something like that except its based on content accessed).

David C. Bishop
  • 131
  • 2
1

The sixth Immutable Law of Security states, "A computer is only as secure as the administrator is trustworthy," so it is theoretically unsafe to host a service in a Tor relay, especially if you don't know the administrator. Actually, the same goes for any hosting service provider -- you never know who is working there -- but I'd be more worried trusting a Tor relay.

It's possible to execute encrypted code with "Homomorphic Encryption." This is still under research and development and has been for the past decades, but there has been huge progress this year with its performance. Fujitsu thinks it can have commercial applications ready by 2015.

http://www.fujitsu.com/global/news/pr/archives/month/2013/20130828-01.html

To my knowledge, homomorphic encryption can only protect confidentiality, so you'd still have to trust the administrator with integrity. The same problem remains though: if your IP is unmasked, your service can be physically taken down and your real identity is at huge risk (especially if you once logged in with your real IP or paid the host provider with your credit card.) A decentralized, peer-to-peer network would help in this case, but I think Tor shouldn't be involved. This deserves its own network.

How it should be implemented is a difficult question to answer. David C. Bishop's suggestion is one way of doing it (see his answer), but as mentioned, it is off-topic and not related to Tor, just anonymity.

I would like to further discuss the possibility of creating an anonymous p2p host providing network. If anyone can suggest the appropriate place to take this discussion, please say.

& Thank you to mirimir and David C. Bishop. Your answers were very helpful. :)

user646658
  • 41
  • 4
1

This is the way to go, I think. Data and servers hidden in meatspace are clearly dead roads. Tor hidden services are only hidden until adversaries find the servers while they're running ;)

Also, porting standard Internet systems to networks of hidden services is painful. Better would be building normal networks among hidden services, using aggregated links that are fast and fault-tolerant. Data would be stored in fragmented and redundantly-distributed filesystems such as Tahoe-LAFS. Servers would be light and mobile VMs, able to migrate (or die and be reborn) across the network to handle load, and to respond to threats. Also, servers would be generic, pulling their configuration and data from the distributed filesystems, and updating state in real time.

Given fragmentation and redundant distribution, individual hidden services would hold only encrypted pieces of various components. That provides strong plausible deniability, much like running a Tor relay.

Only the first piece of this is on-topic for tor.se, and it's arguable that it's largely so as a threat like BitTorrent ;) You can find me at 0x17C2E43E.

mirimir
  • 3,017
  • 1
  • 19
  • 29
0

You could run a Tahoe-LAFS grid inside Tor to have a distributed, plausible-denial filesystem. To serve this filesystem(s) over out-of-the-box webservers you might be interested in https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2144 .

amontero
  • 11
  • 1