Attacks on Onion Discovery and Remedies via Self-Authenticating Traditional Addresses

TL;DR

This paper identifies vulnerabilities in onion address discovery mechanisms that threaten security and privacy, and proposes self-authenticating traditional addresses (SATAs) as a solution to enhance security and broaden access.

Contribution

It introduces SATAs, a novel approach that embeds onion public key commitments into DNS addresses, countering discovery-related vulnerabilities and enabling self-authenticated access outside Tor.

Findings

Discovery mechanisms are vulnerable to hijack and tracking.

SATAs effectively mitigate discovery vulnerabilities.

SATAs enable secure access from non-Tor browsers.

Abstract

Onion addresses encode their own public key. They are thus self-authenticating, one of the security and privacy advantages of onion services, which are typically accessed via Tor Browser. Because of the mostly random-looking appearance of onion addresses, a number of onion discovery mechanisms have been created to permit routing to an onion address associated with a more meaningful URL, such as a registered domain name. We describe novel vulnerabilities engendered by onion discovery mechanisms recently introduced by Tor Browser that facilitate hijack and tracking of user connections. We also recall previously known hijack and tracking vulnerabilities engendered by use of alternative services that are facilitated and rendered harder to detect if the alternative service is at an onion address. Self-authenticating traditional addresses (SATAs) are valid DNS addresses or URLs that also contain a commitment to an onion public key. We describe how the use of SATAs in onion discovery counters these vulnerabilities. SATAs also expand the value of onion discovery by facilitating self-authenticated access from browsers that do not connect to services via the Tor network.