2023 (opens in new tab)

(twitter3e4tixl4xyajtrzo62zg5vztmjuricljdp2c5kshju4avyoid.onion)

66 pointsNOWHERE_2y ago46 comments

46 comments

Not surprising. That seems like something he wouldn't care about up until it could somehow be used to own the libs or whatever. There's probably nobody left that even knows about the onion service.

1 more reply

ocdtrekkie2y ago

This is the sort of thing that if it even exists at a large company is a pet project of one enthusiast, and obviously that enthusiast was laid off. I doubt a single person at Twitter today cares if their onion service works.

1 more reply

silas2y ago

Also noticed that the Status page linked from the logged out https://twitter.com page has been expired since Aug 29.

Not especially interesting, but probably an indication that some of the non-core stuff is getting overlooked.

abraham2y ago

The API page is still up

https://api.twitterstat.us/

mattsan2y ago

I can hear the people in charge on the onion service that were fired laughing

ThePowerOfFuet2y ago

Why are they even using TLS? Onion services bring their own security.

dewey2y ago

That was a bigger discussion when Facebook did it back in the days and there's really no clear reason for and against it. In the end it mostly boils down to "regular people were educated that https is needed, so it's better to just keep doing that instead of explaining Tor to them". Which is a fair point I think.

https://blog.torproject.org/facebook-hidden-services-and-htt...

sva_2y ago

If there is no reason for it, then that is a reason against it. Regular people probably don't use Tor.

1 more reply

derefr2y ago

AFAICT, the one thing you get from using TLS, is a kind of redundant defense-in-depth to the site being taken over: to successfully pose as the site, the attacker would have to obtain both the Tor daemon private key, and the TLS private key. If the Tor session and the TLS session are each terminated on their own middlebox with separate security (or if e.g. the Tor privkey lives in memory on the machine, while the TLS privkey lives inside an HSM attached to the machine), then it becomes harder for anyone — even a state actor — to commandeer the site.

Also, the TLS cert would be signed by a CA, and so that CA can independently determine that the site has been commandeered and revoke the cert. (Not that I expect a CA would actually do this in a timely manner if the commandeering is done on behalf of a state actor — but that's more a fault in our current CA system than a fault in the logic of X.509 trust infrastructure itself.)

rakoo2y ago

TLS brings security and auth: how do you know twitter's service is at https://twitter3e4tixl4xyajtrzo62zg5vztmjuricljdp2c5kshju4av... ? Or is it at https://twitter3e4tixl4xyajtrzo62zg5vztmjuricljdp2c5kshju4av... ?

.onion certs can now go the whole chain such that you don't need to rely on non-tor access to do the auth

jimrandomh2y ago

Given that Twitter is the target of a lot of manipulation attempts, some of which come from intelligence agencies, having a .onion service seems like an actively bad thing. This seems like the sort of thing that a spy who snuck through the hiring process would build. Leaving it unmaintained seems worse than taking it down (especially since that implies a lack of monitoring that would invite abuse), but it definitely ought to go down.

cedws2y ago

I mean, it's not like Twitter can't see where the traffic is coming from. If you start seeing thousands of users tweeting the same thing over Tor, it's a pretty obvious campaign.

weare1382y ago

And what about users in countries with hostile governments? Your online posts get you killed in places like Saudi Arabia. The state will literally execute you. If there's a conspiracy here that's why Twitter's 'secure' TOR access is less secure now.

devilkin2y ago

I guess they'd care if they could monetize it.

stathibus2y ago

Twitter should not care about having an onion service.

Great example of a distraction that the Musk downsizing properly removed.

justapassenger2y ago

If they really care about free speech and citizen journalism, they totally should have working onion service.

Of course they don’t care, not only because Musk is full of shit, but also because of billions from Saudis.

bastawhiz2y ago

Serving a valid tls cert takes virtually no effort. It's far more likely that Musk's downsizing killed off infra that was doing this job correctly and inexpensively for many years.

If Musk actually cared about free speech like he says he does, onion services would be a priority. But obviously that's just hot air. You can't have it both ways.

justinclift2y ago

> infra that was doing this job correctly

Twitter's Onion handling hasn't been reasonably functional for years, so in this particular case it's not that.

1 more reply

avs7332y ago

Did they properly remove it or does no one there even know it was/is happening. They didn’t shut it down, the seem to have left the lights on with nobody home.

Bigger picture - given the role news making and sharing in real time has always played in Twitter, it seems logical that services which may not provide obvious returns but which build a platform that journalists find useful would help do that.

stathibus2y ago

I agree, it seems like they left it to rot instead of shutting it down. But again it is irrelevant to the business so who cares?

2 more replies

Atreiden2y ago

Why not? For an international communication service with a "historical" significance on freedom of speech, is this not a natural extension of the platform? Something like this does not cost very much money to operate. "distraction" implies that it does not align with the rest of the company's objectives, and that it costs an inordinate amount of time or resources. A service like this can be administered by a single person as a tertiary function of their role, is it really any significance to their bottom line?

kakwa_2y ago

Maybe, but then, why the onion service is still up?

This feels more like uncontrolled infrastructure rot/lack of maintenance rather than a conscious decision to cut unnecessary parts of it.

AlexandrB2y ago

If you think running an onion service is distracting, wait until you see how distracting trying to become an "everything" app is.

zen9282y ago

It's so funny to me seeing variations of this post in response to anything related to what could be seen as a weakness to the actions taken after acquisition, while also seeing this in posts promoting twitters relative stability. It's just so transparent to what your motivation is and laughably pathetic how you feel the need to reaffirm and defend your stance on musk (lowercase) at any opportunity that projects any positivity on his decision making.

Oh, right, the topic that neither of us were actually taking about. Yep, I don't think anyone reasonably minded would be using a twitter tor exit node with twitters current reputation. Probably best to remove a service that no one would ever trust you enough to use.

adfhoinionio2y ago

It broke because there's no one left at the company who knows how to keep it online.

onion2k2y ago

That's unlikely. Even though Elon gutted the team at Twitter, the previous devs were good and certainly documented things. Besides, renewing a cert and applying it to an onion service isn't very hard, so the current team could fix it if it was a priority.

Its much more likely that it just isn't something they want to spend time on.

WallyFunk2y ago

I don't understand the premise of Twitter having an .onion hidden service. They're anti-anonymity, at least from my experience, where they extorted my phone number from me so I could continue to use their service. Mixing PII with Tor defeats the purpose of anonymity. You're immediately outed by providing a phone number or even en e-mail.

bboygravity2y ago

This goes for every single website on clearnet though?

If not phone number, they have your IP and location, timezone, likely waking hours, private chats, search queries, who you communicate with and when etc. If not collected by the webmaster then it is automatically collected by whatever government the server sits in (+ whatever governments that government trades data with).

The times of anonymity on the internet/clearnet are long gone.

astrange2y ago

> If not collected by the webmaster then it is automatically collected by whatever government the server sits in (+ whatever governments that government trades data with).

It certainly is not, that's what we did all that HTTPS perfect forward secrecy for.

parineum2y ago

Accessing Twitter from countries that don't have any way to force Twitter to divulge information is the purpose.

godelski2y ago

It's not too hard to get a temporary voip phone number if required to sign up for a service, but when I signed up this wasn't needed. Just don't use your phone. You can also get dummy, private, or temporary email addresses. Yeah, the scraping makes things harder, but it's perfectly doable to get these services completely anonymously. I mean hell, NYT, WP, CNN, Reuters, etc all have Signal and most have Secure drop, which is via Tor, to connect to them. Interestingly it looks like Fox is the only major platform not have any method I could find from a single search.

bastawhiz2y ago

Nonsense. The threat model that onion routing protects against is a middle man intercepting the traffic, not from Twitter knowing who you are. It still offers value.

atkailash2y ago

I think it’s intended to circumvent government blocks in times of unrest to ensure communication

Forbo2y ago

Just a heads-up, it looks like your account might have been shadowbanned? You last few comments were all dead, as well as this one when I first saw it. Looks like someone else may have already vouched for it though.

1 more reply

j / k navigate · click thread line to collapse

46 comments

gaganyaan2y ago

Not surprising. That seems like something he wouldn't care about up until it could somehow be used to own the libs or whatever. There's probably nobody left that even knows about the onion service.

1 more reply

ocdtrekkie2y ago

1 more reply

silas2y ago

Also noticed that the Status page linked from the logged out https://twitter.com page has been expired since Aug 29.

Not especially interesting, but probably an indication that some of the non-core stuff is getting overlooked.

abraham2y ago

The API page is still up

https://api.twitterstat.us/

mattsan2y ago

I can hear the people in charge on the onion service that were fired laughing

ThePowerOfFuet2y ago

Why are they even using TLS? Onion services bring their own security.

dewey2y ago

https://blog.torproject.org/facebook-hidden-services-and-htt...

sva_2y ago

If there is no reason for it, then that is a reason against it. Regular people probably don't use Tor.

1 more reply

derefr2y ago

rakoo2y ago

.onion certs can now go the whole chain such that you don't need to rely on non-tor access to do the auth

jimrandomh2y ago

cedws2y ago

I mean, it's not like Twitter can't see where the traffic is coming from. If you start seeing thousands of users tweeting the same thing over Tor, it's a pretty obvious campaign.

weare1382y ago

devilkin2y ago

I guess they'd care if they could monetize it.

stathibus2y ago

Twitter should not care about having an onion service.

Great example of a distraction that the Musk downsizing properly removed.

justapassenger2y ago

If they really care about free speech and citizen journalism, they totally should have working onion service.

Of course they don’t care, not only because Musk is full of shit, but also because of billions from Saudis.

bastawhiz2y ago

Serving a valid tls cert takes virtually no effort. It's far more likely that Musk's downsizing killed off infra that was doing this job correctly and inexpensively for many years.

If Musk actually cared about free speech like he says he does, onion services would be a priority. But obviously that's just hot air. You can't have it both ways.

justinclift2y ago

> infra that was doing this job correctly

Twitter's Onion handling hasn't been reasonably functional for years, so in this particular case it's not that.

1 more reply

avs7332y ago

Did they properly remove it or does no one there even know it was/is happening. They didn’t shut it down, the seem to have left the lights on with nobody home.

stathibus2y ago

I agree, it seems like they left it to rot instead of shutting it down. But again it is irrelevant to the business so who cares?

2 more replies

Atreiden2y ago

kakwa_2y ago

Maybe, but then, why the onion service is still up?

This feels more like uncontrolled infrastructure rot/lack of maintenance rather than a conscious decision to cut unnecessary parts of it.

AlexandrB2y ago

If you think running an onion service is distracting, wait until you see how distracting trying to become an "everything" app is.

zen9282y ago

adfhoinionio2y ago

It broke because there's no one left at the company who knows how to keep it online.

onion2k2y ago

Its much more likely that it just isn't something they want to spend time on.

WallyFunk2y ago

bboygravity2y ago

This goes for every single website on clearnet though?

The times of anonymity on the internet/clearnet are long gone.

astrange2y ago

> If not collected by the webmaster then it is automatically collected by whatever government the server sits in (+ whatever governments that government trades data with).

It certainly is not, that's what we did all that HTTPS perfect forward secrecy for.

parineum2y ago

Accessing Twitter from countries that don't have any way to force Twitter to divulge information is the purpose.

godelski2y ago

bastawhiz2y ago

Nonsense. The threat model that onion routing protects against is a middle man intercepting the traffic, not from Twitter knowing who you are. It still offers value.

atkailash2y ago

I think it’s intended to circumvent government blocks in times of unrest to ensure communication

Forbo2y ago

1 more reply

j / k navigate · click thread line to collapse