THE SO-CALLED DARK web, for all its notoriety as a haven for criminals and drug dealers, is slowly starting to look more and more like a more privacy-preserving mirror of the web as a whole. Now it’s gained one more upstanding member: the non-profit news organization ProPublica.
On Wednesday, ProPublica became the first known major media outlet to launch a version of its site that runs as a “hidden service” on the Tor network, the anonymity system that powers the thousands of untraceable websites that are sometimes known as the darknet or dark web. The move, ProPublica says, is designed to offer the best possible privacy protections for its visitors seeking to read the site’s news with their anonymity fully intact. Unlike mere SSL encryption, which hides the content of the site a web visitor is accessing, the Tor hidden service would ensure that even the fact that the reader visited ProPublica’s website would be hidden from an eavesdropper or Internet service provider.
“Everyone should have the ability to decide what types of metadata they leave behind,” says Mike Tigas, ProPublica’s developer who worked on the Tor hidden service. “We don’t want anyone to know that you came to us or what you read.”
Of course, any privacy-conscious user can achieve a very similar level of anonymity by simply visiting ProPublica’s regular site through their Tor Browser. But as Tigas points out, that approach does leave the reader open to the risk of a malicious “exit node,” the computer in Tor’s network of volunteer proxies that makes the final connection to the destination site. If the anonymous user connects to a part of ProPublica that isn’t SSL-encrypted—most of the site runs SSL, but not yet every page—then the malicious relay could read what the user is viewing. Or even on SSL-encrypted pages, the exit node could simply see that the user was visiting ProPublica. When a Tor user visits ProPublica’s Tor hidden service, by contrast—and the hidden service can only be accessed when the visitor runs Tor—the traffic stays under the cloak of Tor’s anonymity all the way to ProPublica’s server.
To most of ProPublica’s readers, that no doubt sounds like an unnecessary level of paranoia to go through to read the news. But Tigas first began considering launching a hidden service last year when the news site was working on a report about Chinese online censorship and wanted to make sure the reporting was itself safe to visit for Chinese readers. Like other news sites, ProPublica also accepts anonymous tips and leaks through its SecureDrop server, another Tor hidden service. Tigas says he hopes the Tor hidden service version of the site will make sure any leaker can also read the stories resulting from those leaks with as much protection as possible. It remains to be seen how readers will find the new Tor hidden service, as ProPublica hasn’t yet decided where it will advertise it. The launch makes Pro Publica the first major media site on the dark web, but not the first news site altogether. The dark web news site Deep Dot Web has long hosted a hidden service version of itself for its privacy-focused readers.
Tor hidden services, which hide the IP address of a web site and thus its administrator’s identity, have been widely used for online narcotics sales like the Silk Road and even child pornography. But ProPublica’s dark web site is far from the first foray from reputable publishers and web companies into Tor’s anonymity network. In late 2014, Facebook launched its own Tor hidden service. (Though Facebook itself knows the identity of any user who logs into that Tor-enabled mirror of the site, eavesdroppers wouldn’t.) Media sites including the Guardian, the Intercept, and the New Yorker have the software SecureDrop to launch WikiLeaks-style anonymous upload sites on the dark web. And a variety of apps are beginning to use Tor hidden services, too, like the anonymous chat service Ricochet and the file-sharing service Onionshare.
ProPublica’s Tigas says he hopes the news site’s hidden service will serve as a model for other media companies who want to protect users’ privacy, and maybe improve the dark web’s controversial reputation, too. “Personally I hope other people see that there are uses for hidden services that aren’t just hosting illegal sites,” Tigas says. “Having good examples of sites like ProPublica and Securedrop using hidden services shows that these things aren’t just for criminals.”
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.