This means all the links between and to onion sites, all the search engine rankings, all the communities, and access to them will go up in a puff of smoke on that date.
Some may come back with new domains that are different from the old. But the web between them will be gone.
You use the word migrate but that's not really what is going on. A new onion domain is required. All the links, all the search indices, the reputation and rankings, the things that make up the web on tor will be destroyed.
On v3 everything will have to start fresh.
And yeah, there are reason for using v3. Many of them. But having v2 alongside v3 has been the working status quo since 2019. It is not like it is suddenly harder now. And just because a v2 site exists doesn't endanger v3 ones.
A host on v2 can serve a redirect to v3. Search indexes can be updated, as well as links (there was about 1.5 years?). It is a nuisance, but I don't see what the big issue is.
If v2 addresses are not disabled, people will keep using them, yet they are (seemingly quite) insecure. People would get false security/privacy impressions so they need to be disabled. Migrations need definite timelines - look at python v2/3, IPv4/6. RSA1024 really is long past overdue.
You are kind of assuming that every Tor site is someone's primary occupation. But for some people it just be a hobby, and not their primary one either. Imagine someone spending an hour or so per year. They may not even know this is coming.
The tor browser enforces this but that doesn't happen for the actual tor client (used for hosting onion services) if it comes from your system repositories. But even if you go back to the tor client released in 2013 there are no serious vulnerabilities. Just a mild DoS.
Yes. That's exactly what I said. Except my main point was that even tor clients from 2013 only have a minor DoS vulnerability. It's not so dire if you don't update.
I actually put off reading about or implementing a v3 domain because of the new DoS problems it introduced. For most of the v2->v3 transitional period an old out of date tor client running a v2 onion service was no more vulnerable than a brand new up to date v3 tor client with it's new vulnerabilities not worked out yet.
v2 domains were just the maximum length that you could reasonably memorize them, perfect for privacy. There's no chance for memorizing a v3 domain, so you'll have to write them down or persist them in some way. Having a post-it of a whistleblowing site's URL is never great.
No problem, I literally just happened to see the dark.fail account on Twitter post a notice about it earlier today after a long slumber where I've been off the web for a couple days so I figured you'd like to know that that's not a recommended URL any longer.
EDIT: you can probably reach out to dang or to hn@ycombinator.com and they will delete this if you state your case
17 comments
[ 2.7 ms ] story [ 65.2 ms ] threadSome may come back with new domains that are different from the old. But the web between them will be gone.
TOR, Signal or Ethereum - you better hope that network owners don't do something to break your stuff.
Stated reason for v2 retirement: "Onion service v2 uses RSA1024 and 80 bit SHA1 (truncated) addresses. It also still uses the TAP [2] handshake .."
Seems like a typical security upgrade of something that should have been done a long time ago.
On v3 everything will have to start fresh.
And yeah, there are reason for using v3. Many of them. But having v2 alongside v3 has been the working status quo since 2019. It is not like it is suddenly harder now. And just because a v2 site exists doesn't endanger v3 ones.
If v2 addresses are not disabled, people will keep using them, yet they are (seemingly quite) insecure. People would get false security/privacy impressions so they need to be disabled. Migrations need definite timelines - look at python v2/3, IPv4/6. RSA1024 really is long past overdue.
You are kind of assuming that every Tor site is someone's primary occupation. But for some people it just be a hobby, and not their primary one either. Imagine someone spending an hour or so per year. They may not even know this is coming.
I actually put off reading about or implementing a v3 domain because of the new DoS problems it introduced. For most of the v2->v3 transitional period an old out of date tor client running a v2 onion service was no more vulnerable than a brand new up to date v3 tor client with it's new vulnerabilities not worked out yet.
I mean, this post is from July 2020. Onion service v3 has been around since 2018. It seems pretty reasonable to give over a year for migration.
Pretty easy to remember for whistleblowers.
Haven't looked at it in a long time sorry. I generally like the non-deletion policy on HN but really wish I could get rid of this now.
Shame I can't flag my own post. For anyone reading, please do so.
EDIT: you can probably reach out to dang or to hn@ycombinator.com and they will delete this if you state your case