Audacious Fox

Runa Sandvik, Director of Information Security at The New York Times:

The New York Times’ Onion Service is both experimental and under development. This means that certain features, such as logins and comments, are disabled until the next phase of our implementation. We will be fine-tuning site performance, so there may be occasional outages while we make improvements to the service. Our goal is to match the features currently available on the main New York Times website.

As pointed out by Ms. Sandvik, the Times joins—among others—Facebook and ProPublic, each of which provide their own Onion Services. For background on why this matters, here’s this 2014 post from the Tor Project’s blog (emphasis mine):

Hidden services provide a variety of useful security properties. First - and the one that most people think of - because the design uses Tor circuits, it’s hard to discover where the service is located in the world. But second, because the address of the service is the hash of its key, they are self-authenticating: if you type in a given .onion address, your Tor client guarantees that it really is talking to the service that knows the private key that corresponds to the address. A third nice feature is that the rendezvous process provides end-to-end encryption, even when the application-level traffic is unencrypted.

Essentially, you can now be reasonably sure that when you access nytimes3xbfgragh.onion, you’re getting the real thing. Additionally, having a growing number of real-world publications make their sites available as Onion Services doesn’t hurt Tor’s credibility.

The nuances of Tor and .onion addresses get a little… nerdy, but here’s the bigger takeaway: although you could always access nytimes.com through a Tor browser (which provided an additional level of anonymity to your browsing), the availability of a fully fledged .onion URL run by the Times speaks to a growing worldwide desire for encrypted and unmonitored use of the Internet, particularly when it comes to accessing the news. I can’t imagine any meaningful percentage of readers will switch to using the new .onion address, but as with most things Tor, if you can (a) already access The New York Times and (b) do so without worry, this service probably isn’t aimed at you.

Monday, 30 October 2017