I saw a diagram of traffic to an .onion domain, I think in a Tor Project browser, and it showed the traffic going through ~3 Tor relays, then ~3 'regular' Internet relays, then perhaps something else, then the .onion host.
Why the 'regular' Internet relays? It wasn't a hijack of some sort, this diagram was from the Tor Project. It wasn't an exception AFAICT, I saw it for multiple .onion hosts.
I assume the traffic is encrypted over the Internet relays, but it seems to add a bunch of potential vectors of attack, not to mention potential performance issues.
Tor hidden servers have changed recently so this may be a bit out of date, but the client (at the Twitter user end) has to choose all the relays between itself and the endpoint. The server (Twitter) is also hidden here, so the client cannot make a path all the way to it, the way it could for a normal website. So Twitter publishes the address of a trusted relay instead. The client makes a path to the relay, and the relay forwards the request on to the hidden server.
Thank you. Why do some relays need to be public Internet hosts (if I understood correctly what I saw) instead of using all Tor hosts as relays? Sorry if the answer is somehow implicit in what you already posted.
Thanks for all your help and I understand if I've exhausted the efforts of free HN technical help!
I read the link and while I learned more about Tor, the article seems to describe how to secure Tor traffic that is forwarded to regular Internet hosts, for example if someone using a Tor client visited ycombinator.com. My question is, if you use a Tor client to visit twitterhpgjerufcvrmzerg2novpipy42rk3anvb5b7np4zggm4rwaqd.onion, why is part of the route through regular Internet hosts (afaict) and what are the implications of that? The article shows what I am describing in this screenshot; the blacked out parts next to "Portugal", "Germany", and "United States" are IP addresses:
Only the trusted relay in the middle knows that half of the path. Sorry if that wasn't clear. And again, this was a hack on the original protocol that had some security issues. The implementation of hidden servers was recently updated and I don't know exactly what changed.
That is what I believed but what I saw seemed to conflict: Install the Tor Project browser, connect to an .onion host, then click on the icon that shows the route. It appears to show the route goes through non-Tor hosts (I don't call them 'clearnet' because I expect the data and some metadata is encrypted).
EDIT: See this screenshot from an article elsewhere in this discussion. The blacked out bits next to "Portugal", "Germany", and "United States" are publicly routable IP addresses (IIRC):
This is normal: your computer picks the set of 3 relays you want to use, hence it knows their IP addresses. The 3 relays from there to the hidden service are not known to your computer though, so those are just listed as "relay"
This screenshot, from an article linked below, shows what I'm talking about. The blacked out parts next to "Portugal", "Germany", and "United States" cover publicly routable IP addresses (afaik):
I think I may be able to help sort out the confusing bits. I know a lot about Tor so if you have any further questions feel free to ask. Sp332's comment is a good explanation so I will simply expand upon it. Also, if I misunderstood your question let me know.
Tor works by ensuring that there is three Tor relays between the Tor client (the software that connects to the Tor network) and the destination the Tor client is connecting to.
However, what happens when you want to establish a connection between two hosts who are both using Tor through the Tor network? Well, in that case both Tor programs establish a path through three Tor relays and link the last Tor relays in each of their separate chains together (if you are interested in learning about how each Tor program knows the others end point look up "Tor hidden service directory"). Now with both ends of their Tor relay chains linked, both hosts can communicate with each other securely and anonymously over the Tor network. (For example: you are using Tor browser to connect to a hidden service. Both Tor browser and the hidden service make a chain of three Tor relays each and connect the chains together through the last node of each chain. The Tor browser only knows the relays that it uses for its chain + the end of the hidden services chain. The hidden service only knows the relays in its chain + the last relay in your chain. Thus keeping you both anonymous.)
Yes, thank you; that explains it. I somehow got the impression that the last three relays were routed on, effectively, a different layer of the Tor network than public Internet IP routing, one that didn't rely on the public IP addresses.
The screenshot shows the traffic going through 3 Tor relays (which your browser knows the public IP addresses of, since it created that circuit in the first place) followed by three more Tor relays (which it doesn't know the public IP addresses of, since that circuit was created by the hidden service), followed by a final hop to the hidden service.
Why the 'regular' Internet relays? It wasn't a hijack of some sort, this diagram was from the Tor Project. It wasn't an exception AFAICT, I saw it for multiple .onion hosts.
I assume the traffic is encrypted over the Internet relays, but it seems to add a bunch of potential vectors of attack, not to mention potential performance issues.
EDIT: 'clear' -> 'regular'