Based on the following it seems very unwise to expect Tor hidden services to be secure against any determined attaker; I'd expect attacks to be well-known (among attackers). It's also sad to learn how little help this critical FOSS project receives (and I haven't been helping them either).
> it's important to note that Tor currently doesn't have funding for improving the security of hidden services.
and
> In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries.
Which links to a 2013 article[1] which says,
> Hidden Services are in a peculiar situation. While they see a loyal fan-base, there are no dedicated Tor developers to take care of them.
If I were dissident in an oppressed country (sigh the way things are going we in the west arent that far behind authoritarian regimes such as China, Iran and Russia) i would be very very worried now as the same method could be used or "discovered" by entities who are more interested in suppressing dissent than this silly war on drugs waged by western countries.
Exactly, if Tor being insecure and therefore your traffic getting you in trouble is your primary worry that's actualy a first world problem. Even using Tor at all is easily sufficient for any truly authoritarian regime to come down hard on you regardless of what your traffic contains.
> we in the west arent that far behind authoritarian regimes such as China, Iran and Russia
In terms of the surveilance capabilities of the state, you're probably right. But e.g. China censors perhaps hundreds of thousands of messages a day and blocks access to vast swathes of the web. It actively uses online surveilance to crack down on activists and civil society groups on a routine basis. I don't like governmental overreach in surveilance and I think their systematic weakening of civilian security and privacy are massively counter-productive. There are also too many cases of police abusein many wester countries. But that's not the same as running a systematic, actively authoritarian police state.
ssh into a box that is set up to use tor, install squid, set up firefox to use your squid/tor box as a proxy. Your home is no longer broadcasting that you're using tor. Your box could be outside of the country.
"The task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly"
Maybe it would be better to re-think the applications? Instead of traditional web apps that require low-latency connection to be usable, maybe build fat client web apps where the information is synched from the server to local datastore and accessed from there.
These apps could live in the tor-browser just like we have Chrome apps. Maybe the tor-browser could expose a special Javascript API that would prove high-latency, anonymity protecting message passing mechanism between client and servers.
If they want to get a crowdsource campaign going, better to do it ASAP so they can cash in on the general public's feeling about the shutdown and arrests (and before everyone forgets). Similar to how the heartbleed bug caused a major donation drive to the ssl project shortly after it happened.
Mixed feelings here. It seems fairly clear from the material released thus far that opsec failures have been a major enabling component in recent regulatory ingress. Therefore, this is a fairly poor article in that it encourages a chilling effect and general panic. However, it's also a good article in that it encourages people to focus on sponsoring or improving the security of hidden services as a Tor project design goal. It stops short of pointing out where to send money, though.
> it's important to note that Tor currently doesn't have funding for improving the security of hidden services.
and
> In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries.
Which links to a 2013 article[1] which says,
> Hidden Services are in a peculiar situation. While they see a loyal fan-base, there are no dedicated Tor developers to take care of them.
[1] https://blog.torproject.org/blog/hidden-services-need-some-l...
EDIT: add a little clarity and 'add' succinctness