A year of hosting an onion site

A short story detailing my experiences with hackers, SIGINT and the inherent depravity of humankind. In truth though, this story may lack all the aforementioned ingredients.

The lonely onion

A year ago I decided to offer my visitors “absolute” privacy in the shape of a Tor hidden service. Believing others were as fed up as myself with the constant mining of our personal data, I was eager to see what kind of traffic my hidden service would receive.

Fast forward to a year later and I’ve come to realize that few people share my conviction or perhaps connecting to the tor network is just too much of a bother for most people. Whatever the cause may be, the result has been hardly any human traffic whatsoever. I get plenty of bots scraping the site though, but to what purpose I don’t know.

Privacy

If you’ve familiar with my “don’t track, don’t tell” privacy policy, you might wonder exactly what additional privacy gains my onion site does offer. The answer to that question is simply anonymity. The following extract from my onionsite webserver log illustrates the complete lack of identifying visitor data:

slackiuxopmaoigo.onion 127.0.0.1 - - [04/Nov/2017:12:06:10 +0100] "GET /2017/04/hpkp-has-been-deployed/ HTTP/1.1" 200 5243 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" 350 5734
slackiuxopmaoigo.onion 127.0.0.1 - - [04/Nov/2017:12:06:11 +0100] "GET /wp-content/themes/pureregression/style.css HTTP/1.1" 200 3458 "http://slackiuxopmaoigo.onion/2017/04/hpkp-has-been-deployed/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" 358 3924
slackiuxopmaoigo.onion 127.0.0.1 - - [04/Nov/2017:12:06:11 +0100] "GET /wp-content/uploads/2017/04/HPKP-ssllabs-662x297.png HTTP/1.1" 200 17666 "http://slackiuxopmaoigo.onion/2017/04/hpkp-has-been-deployed/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" 352 18096
slackiuxopmaoigo.onion 127.0.0.1 - - [04/Nov/2017:12:06:12 +0100] "GET /wp-content/themes/pureregression/images/frst.jpg HTTP/1.1" 200 113782 "http://slackiuxopmaoigo.onion/wp-content/themes/pureregression/style.css" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" 360 114215
slackiuxopmaoigo.onion 127.0.0.1 - - [04/Nov/2017:12:06:13 +0100] "GET /favicon.ico HTTP/1.1" 200 12014 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" 240 12445

The only IP address ever being logged by the server is 127.0.0.1 (localhost). That leaves only the user-agent string as the “identifiable” part of the request. Even if I was to examine the network connections, all I would be able to discover are my entry guards.

Attacks

Tor occasionally reports about a large amount of failing circuits which could suggest an attack against me or my guard, but as the log says: most likely this means the Tor network is overloaded.

As for attacks against my webserver, those are few and far between and contain nothing new. Additionally there are a plenty of probes for my private_key, but I can’t really imagine a configuration where it would be accessible from the document root. I guess those probes originates from some service trying to discover horribly misconfigured onions.

To the future, and beyond

Ignoring the apparent lack of interest from my visitors I still find running an onion site interesting and I plan to keep maintaining slackiuxopmaoigo.onion in the future.