UX Problems with migration to V3 names
As we all know, from about November 2021 deprecated v2 onion names will cease to work altogether ( https://blog.torproject.org/v2-deprecation-timeline ).
We understand the reasons behind this decision, but at the same time we consider solving the problem caused by it to be vital.
The crux of the v3 vs v2 issue is as follows:
A v2 name looks like a random combination of 16 letters and digits. Half of them, or even more, may be picked by the v2 service owner via the mining process to ensure that the name of their service can be remembered more easily. This way the user only has to remember a word or a combination thereof, associated with this service, and 8 or less random letters and digits. It is much easier than having to remember 16 random symbols, although remembering 16 random symbols is still realistically possible.
V3 names have no such option. Even if the owner of the service manages to pick 8-12 symbols, there will still be at least 40 random symbols left. Remembering such a name exactly seems to us to be impossible for most users.
This means that v3 names have some obvious drawbacks:
- Since v3 names cannot be easily remembered, they would have to be recorded somehow, whether on a digital device or on paper, which compromises the safety of the user in case of a search by security services or affiliated groups in repressive regimes. Keeping such names in encrypted containers of any sort does not help much, since the very presence of such containers automatically provokes additional questioning. Refusing to show their contents may be interpreted as admission of guild or involvement, or simply provoke security services to employ coercion or even torture.
- These names are hard to input manually. Even a skilled PC user would have to spend about half a minute inputting a v3 name without checking for misprints and other errors. A less skilled user would need more than 2 minutes and would very likely require several attempts to do so. It's even worse on a smartphone or any other mobile device, which is sometimes the only way some people can connect to the Internet. By our calculations, it takes 2 minutes 40 seconds to input 54 symbols on a mobile device, and that's without checking for any errors.
- When inputting such a long name manually, it would be harder to determine, if failure to connect to a hidden service is caused by some Tor network issues, problems with the service itself, or simply an input error, since you'd have to check 54 symbols and rule out typos or misprints, such as mistaking "g" for "q" or I for "l" etc. The problem becomes even bigger when working with a name recorded on paper in handwriting.
We consider the worst and most critical consequences of v2 deprecation to be:
- Multiple new potential avenues for user data leaks: lost paper scraps with v3 names, attempts to record hidden service names in insecure places, such as blogs, messengers, social networks etc, browser bookmarks, plaintext files on stationary and mobile devices, and so on.
- Much more inconveniences when working with hidden services, potentially making them unusable in a lot of cases. If the user tries to input handwritten symbols 5 or 6 times and still fails, they might decide that the service itself is not responding, when in reality the user simply mistyped one of the 54 symbols in the name. Moreover, inputting the name becomes more labour-intensive and time-consuming, which is especially important for people pursued by repressive regimes or working under duress or high levels of stress, such as activists, whistleblowers etc.
V2 deprecation is probably sound from a technical standpoint, but, as far as we know, one of Tor Project's main goals is to provide a user-friendly platform for private and anonymous communication between people who aren't themselves tech specialists. V2 deprecation without making v3 names more user-friendly and convenient jeopardizes this goal. The attempt to solve this issue by creating the pseudo-domain securedrop.tor.onion does not seem to be a good solution, since it makes name resolution dependent on a centralized authority, and therefore susceptible to censorship, and cannot be considered reliable or secure.
What we think can be done about this:
- Abstain from turning v2 support off, leaving v3 as the default version. Put a risk warning for the service owner in case they want to use v2. Tor users should also receive a warning when trying to connect to v2 services, like they used to get in old versions of Tor Browser when trying to extend the browser window to full screen size.
- Replace v2 with an additional service that would redirect users to a v3 name, supported by the Tor router. This service should also use short names. Redirection verification can be accomplished via additional security measures, like symmetric encryption via passphrase: the client connects to the v2-style name and receives an encrypted v3 name in return, inputs a password and gets either the necessary v3 name or an encryption error that means the v2 name has been compromised.
- Use several v2 names to access a v3 service as a variation of the previous method. To access a v3 service, the user has to access several v2 services. It is much less likely that all of these v2 names would be compromised, and remembering several v2 names is still easier than one v3 name.
We consider solving this issue to be of extreme importance, but without resorting to centralized naming authorities. Otherwise, Tor Project might be reduced to just a tool for circumventing superficial government censorship on the Internet, making it unsuitable for people who require actual privacy and anonymity.