Not surprising. That seems like something he wouldn't care about up until it could somehow be used to own the libs or whatever. There's probably nobody left that even knows about the onion service.
This is the sort of thing that if it even exists at a large company is a pet project of one enthusiast, and obviously that enthusiast was laid off. I doubt a single person at Twitter today cares if their onion service works.
That was a bigger discussion when Facebook did it back in the days and there's really no clear reason for and against it. In the end it mostly boils down to "regular people were educated that https is needed, so it's better to just keep doing that instead of explaining Tor to them". Which is a fair point I think.
There's an annoying practical reason to use HTTPS on Tor: some browser features are gated on the page being served from an HTTPS origin. Some of them (like geolocation and payment requests) are likely to be irrelevant to most Tor users, but others (like HTTP2 and Web Crypto) are more generally relevant.
Mind you, most of these TLS-origin-requiring features are only accessible through Javascript APIs — and so won't be used by any "zero trust" Tor hidden services
(which must assume the client's Javascript is disabled) anyway.
AFAICT, the one thing you get from using TLS, is a kind of redundant defense-in-depth to the site being taken over: to successfully pose as the site, the attacker would have to obtain both the Tor daemon private key, and the TLS private key. If the Tor session and the TLS session are each terminated on their own middlebox with separate security (or if e.g. the Tor privkey lives in memory on the machine, while the TLS privkey lives inside an HSM attached to the machine), then it becomes harder for anyone — even a state actor — to commandeer the site.
Also, the TLS cert would be signed by a CA, and so that CA can independently determine that the site has been commandeered and revoke the cert. (Not that I expect a CA would actually do this in a timely manner if the commandeering is done on behalf of a state actor — but that's more a fault in our current CA system than a fault in the logic of X.509 trust infrastructure itself.)
Given that Twitter is the target of a lot of manipulation attempts, some of which come from intelligence agencies, having a .onion service seems like an actively bad thing. This seems like the sort of thing that a spy who snuck through the hiring process would build. Leaving it unmaintained seems worse than taking it down (especially since that implies a lack of monitoring that would invite abuse), but it definitely ought to go down.
I mean, it's not like Twitter can't see where the traffic is coming from. If you start seeing thousands of users tweeting the same thing over Tor, it's a pretty obvious campaign.
And what about users in countries with hostile governments? Your online posts get you killed in places like Saudi Arabia. The state will literally execute you. If there's a conspiracy here that's why Twitter's 'secure' TOR access is less secure now.
Serving a valid tls cert takes virtually no effort. It's far more likely that Musk's downsizing killed off infra that was doing this job correctly and inexpensively for many years.
If Musk actually cared about free speech like he says he does, onion services would be a priority. But obviously that's just hot air. You can't have it both ways.
The post is about the cert expiring in March of this year. So your statement that this issue is years old is simply untrue. There might be a separate issue, but the cert being invalid has nothing to do with that.
My statement had nothing at all to do with this certificate issue, but was more pointing out that Twitter's Onion handling has been broken in various ways for years.
Did they properly remove it or does no one there even know it was/is happening. They didn’t shut it down, the seem to have left the lights on with nobody home.
Bigger picture - given the role news making and sharing in real time has always played in Twitter, it seems logical that services which may not provide obvious returns but which build a platform that journalists find useful would help do that.
My understanding is the onion service was launched to provide access for people in places where Twitter is blocked. How is this "irrelevant to the business"?
I'm not someone who's ever used the onion service, but as someone who accesses the site regularly over VPN, I can testify that it's a huge PITA. Tons of very aggressive captcha-type challenges (various tasks, never simple text recognition, but not Google ReCaptcha), often 5, 7, or 10 to be allowed to proceed.
If it's a safety mechanism that people relied on, leaving it to rot and getting people in the habit of clicking through on an expired or invalid certificate warning is irresponsible.
A degraded service can be worse than an offline one.
Why not? For an international communication service with a "historical" significance on freedom of speech, is this not a natural extension of the platform? Something like this does not cost very much money to operate. "distraction" implies that it does not align with the rest of the company's objectives, and that it costs an inordinate amount of time or resources. A service like this can be administered by a single person as a tertiary function of their role, is it really any significance to their bottom line?
It's so funny to me seeing variations of this post in response to anything related to what could be seen as a weakness to the actions taken after acquisition, while also seeing this in posts promoting twitters relative stability. It's just so transparent to what your motivation is and laughably pathetic how you feel the need to reaffirm and defend your stance on musk (lowercase) at any opportunity that projects any positivity on his decision making.
Oh, right, the topic that neither of us were actually taking about. Yep, I don't think anyone reasonably minded would be using a twitter tor exit node with twitters current reputation. Probably best to remove a service that no one would ever trust you enough to use.
That's unlikely. Even though Elon gutted the team at Twitter, the previous devs were good and certainly documented things. Besides, renewing a cert and applying it to an onion service isn't very hard, so the current team could fix it if it was a priority.
Its much more likely that it just isn't something they want to spend time on.
I don't understand the premise of Twitter having an .onion hidden service. They're anti-anonymity, at least from my experience, where they extorted my phone number from me so I could continue to use their service. Mixing PII with Tor defeats the purpose of anonymity. You're immediately outed by providing a phone number or even en e-mail.
This goes for every single website on clearnet though?
If not phone number, they have your IP and location, timezone, likely waking hours, private chats, search queries, who you communicate with and when etc. If not collected by the webmaster then it is automatically collected by whatever government the server sits in (+ whatever governments that government trades data with).
The times of anonymity on the internet/clearnet are long gone.
> If not collected by the webmaster then it is automatically collected by whatever government the server sits in (+ whatever governments that government trades data with).
It certainly is not, that's what we did all that HTTPS perfect forward secrecy for.
It's not too hard to get a temporary voip phone number if required to sign up for a service, but when I signed up this wasn't needed. Just don't use your phone. You can also get dummy, private, or temporary email addresses. Yeah, the scraping makes things harder, but it's perfectly doable to get these services completely anonymously. I mean hell, NYT, WP, CNN, Reuters, etc all have Signal and most have Secure drop, which is via Tor, to connect to them. Interestingly it looks like Fox is the only major platform not have any method I could find from a single search.
Nonsense. The threat model that onion routing protects against is a middle man intercepting the traffic, not from Twitter knowing who you are. It still offers value.
Just a heads-up, it looks like your account might have been shadowbanned? You last few comments were all dead, as well as this one when I first saw it. Looks like someone else may have already vouched for it though.
