Doubtful. At some point it is likely the tor project will use their control of things to push a version consensus flag that will block v2 supporting relays from participating in the network.
It's most like going from http to https in that it changes the fundamental systems beneath it resulting in having stronger keys, longer keys, composed with different tech. You notice the new onion addresses are much longer, and created differently, this is that change.
Unlike IPv4 IPv6, there isn't an authority name service to advertise both connectable addresses. This makes discovery for the end user an explicit action.
If they cannot connect on V2, the method to discover v3 is almost definitely out of band and potentially in the prone to hijacking.
I thought there was some meta tag you could stick in your page's HTML that said what its onion address was; couldn't you just add that with the v3 onion address and clients connecting over v2 would see it and switch over just as if they'd started from non-TOR?
So it would be best if those services simply advertise their new address on the v2 domain right? Rather than sit still and lose their traffic when everyone's forced to, or when attacks really become feasible.
It's not even a hard upgrade, afaik it's literally just a change of what address users have to copy/bookmark and nothing else. I just don't get what the reason to not upgrade is.
Sure, but that's not effort on the site's behalf so they can switch over and make the V2 show the redirect notice. If IPv6 would have been this simple, just show a redirect, we'd have upgraded long ago...
Yes, it probably is. Most people use tor because they just want a pseudoanonymous proxy to the clear web. For them the switch to v3 internally is important and probably required. For users of the .onion and onion services in general it's more split but I think most would say v2 going away is good. Soon it will be possible to spoof v2 domain prefixes at a feasible cost.
I personally don't like that v2 is being shut off instead of let run alongside v3. I thought I owned my tor domain I've been using the last decade but it's clear the tor project has the same amount of control as any registrar. I thought I could work on building a community like I have on the clear web but the tor project doesn't consider that a priority and will throw 15 years of history away to make sure non-technical users don't accidentally use v2 services. Tor is not really a place for community building. My mistake. I just won't use it anymore.
The depreciation of v2 addresses is the best course of action in this case. v2 addresses consist of the first 80 bits of the SHA-1 hash of the hidden services 1024 bit public RSA key. This sentence alone is enough to make any cryptographer cringe, it is really bad! (SHA-1 has been shown to be broken and it is suspected that 1024 bit RSA can be cracked by any determined well funded state actor)
Also, Tor Project has had v2 address depreciation on it's roadmap for 2 years now, they have given hidden service operators plenty of time to prime their community for the v2 --> v3 switch. This gradual change is way better than scrambling to depreciate v2 addresses in response to some state actor publicly breaking the RSA keys of v2 hidden services.
> I thought I owned my tor domain
You may now, but if v2 is kept around soon you won't be the only one with the domains private key.
It's not the fact that the hash of the public key is exposed, it's the fact that
1. so little of the hash is exposed (only 80 bits of 160 for sha1), making it easier to find a collision
2. the hash is so weak (sha1 is widely considered broken), making it easier to find a collision
3. the underlying public key is so small, making it easier to derive the private key from the public key
IIRC if you find a collision you can use that to take over / contest an onion address, and obviously reversing the public key into a private key gives you as much control over an onion address as the original creator.
For 2) my understanding is that the security issues in sha1 are not relavent to finding preimages, which if im not mistaken is what you would need to take over an onion address. But maybe im mistaken.
I am curious: why can't you redirect your community to a new v3 address? Deprecating v2 onion services has been publicly planned for several years now, and it is being done for security reasons (e.g. name collisions and weak crypto). Honestly, it would seem irresponsible of the Tor community not to stop supporting insecure versions of Tor.
