Posted on behalf of Philipp Winter, Annie Edmundson, Laura Roberts, Agnieskza Dutkowska-Żuk, Marshini Chetty, and Nick Feamster
Our work on “How Tor Users Interact With Onion Services” will be presented at the upcoming USENIX Security conference in Baltimore in August. Below, we briefly summarize our findings.
What are onion services?: Onion services were created by the Tor project in 2004. They offer privacy protection for individuals browsing the web and also allow web servers, and thus websites themselves, to be anonymous. This means that any “onion site” or dark web site cannot be physically traced to identify those running the site or where the site is hosted. Unlike traditional URLS, onion domains consist of a string of letters and numbers because they are hashes over a site’s public key.
What did we do? We wanted to investigate how users perceive, manage, and use Tor’s onion services and onion domains. We also wanted to understand what challenges exist for current onion service users and what privacy and security enhancements are needed to help users better navigate these services.
How did we do it? We conducted a survey of 517 Tor users and interviewed 17 Tor users in depth to determine how users perceive, use, and manage onion services and what challenges they face in using these services. To compliment our qualitative data, we analyzed “leaked” DNS lookups to onion domains, as seen from a DNS root server. This data gave us insights into actual usage patterns to corroborate some of the findings from the interviews and surveys.
What did we find? We found that users have an incomplete mental model of onion services, use these services for anonymity and have varying trust in onion services in general. Users also have difficulty discovering and tracking onion sites and authenticating them. Finally, users want technical improvements to onion services and better information on how to use them.
What are the implications of this work? Our findings suggest various improvements for the security and usability of Tor onion services, including ways to automatically detect phishing of onion services, more clear security indicators, and ways to manage onion domain names that are difficult to remember.