Thursday, 18 February 2016

What Just Happened On The Tor Network?

A few days ago I was discussing how much of Tor's hidden services (known as .onion sites) was being sued for illegal purposes.  Then over the past 2-3 days something quite extraordinary happened.  The metrics reported by the Tor project themselves shows that the number of unique .onion sites has increased by well over 20,000:

Number of unique .Onion sites as recorded by the Tor project

There has never been an increase of that magnitude before.  What can account for it?  I can see a few possibilities:

  1. Something was wrong with the way in which Tor was calculating the number of .onion sites, and there has been a correction to better reflect reality.  I think this unlikely as the technique (which I discussed previously) appears to be very sound.  I could understand such a correction in the early days when fewer nodes were reporting statistics but over the period that more and more nodes have become part of the reporting there has been no change like this.  With almost 50% of nodes now participating this would appear to be, prima facie, a real jump.
  2. Somebody has set up a whole slew of new .onion sites.  For this to have happened in this volume there has been either a very large number of people collaborating on something or some form of automation.  But why?

The confounding factor in this latest jump is that the volume of traffic across the Tor network to hidden services has not seen a commensurate jump.  If anything the last few days has seen a very small decrease:

Volume of traffic to hidden services on the Tor network (Mbits/s)

Whatever or whoever has set up these new .onion sites it is as if they are being created ready for some purpose that we have yet to understand. 

The most likely possibility is that something such as the new anonymous messaging system called Ricochet has begun operating at full steam.  If, for example, every new .onion site is actually just a new Ricochet client then that could account for the sudden upsurge. You can read about the design of Ricochet here. Ricochet has been available for many months but on 15th Feb they published the results of a security audit conducted by NCC, which gave a favourable verdict on the latest version. 

The fact that each instance of Ricochet uses a unique hidden service, and the upsurge began within 24 hours of a favourable external security audit is quite suggestive. 

Of course, that suggests that Ricochet already has 20,000 users in a matter of days, which is spectacular growth.  Either that or thee a lot of test accounts. The anomaly remains the lack of traffic.  Maybe instant messages just don't generate that much traffic or, more likely, people are creating instances of Ricochet ready to communicate, but obviously, they aren't communicating continuously like a website.

If Ricochet has taken off, then there is a whole new dimension for debate on not just secure (end to end encryption) messaging but messaging where there isn't even any meta data.  If I'm correct then I suspect we'll see yet more commentary on whether such technologies should be allowed and/or can they be stopped even if legislators decided to outlaw them.