通过将隐私视为硬约束来设计仅限 Tor 的服务

1作者: onionlab6 个月前
Hi HN, 我正在开发 OnionLab,这是一个实验性的服务生态系统,围绕着一个严格的约束构建: 所有面向用户的服务都只能通过 Tor (.onion) 访问。明网仅用于发布静态的官方信息。 这并不是因为 Tor 是一个“特性”,而是因为将隐私视为一个硬性约束简化了一些设计决策,同时也明确了其他决策。 通过承诺仅通过 Tor 访问,我们有意避免: - 基于 IP 的假设 - 用户跟踪或分析 - 通过账户或社交图谱绑定身份 相反,我们专注于: - 最小且明确的状态 - 仅在严格要求时才使用短时会话状态 - 密码学验证 (PGP) 而非身份声明 - 仅追加记录而非可变历史 一个例子是 OnionLab Trust,它记录了 PGP 密钥持有者声明的引用(例如 URL、onion 服务、外部账户标识符)。 Trust 不验证所有权、合法性或真实性。它仅保证引用是由特定 PGP 私钥的持有者注册或更新的。 目标不是创建权威,而是允许其他人观察随时间的连续性和意图,而不会削弱匿名性。 我在这里分享这个,不是作为产品发布,而是作为对当隐私被视为不可协商的要求时,服务设计会是什么样子的具体探索。 我很想听听那些构建了仅 Tor 系统的朋友们的想法,或者那些考虑过这种方法但最终放弃的人的想法。 感谢阅读。
查看原文
Hi HN,<p>I’m working on OnionLab, an experimental ecosystem of services built around a strict constraint:<p>All user-facing services are accessible exclusively via Tor (.onion). Clearnet is used only to publish static, official information.<p>This is not because Tor is a “feature”, but because treating privacy as a hard constraint simplifies some design decisions while making others explicit.<p>By committing to Tor-only access, we intentionally avoid: - IP-based assumptions - user tracking or profiling - identity binding through accounts or social graphs<p>Instead, we focus on: - minimal and explicit state - short-lived session state only where strictly required - cryptographic verification (PGP) rather than identity claims - append-only records instead of mutable histories<p>One example is OnionLab Trust, which records references (e.g. URLs, onion services, external account identifiers) declared by PGP key holders.<p>Trust does not verify ownership, legitimacy, or truth. It only guarantees that a reference was registered or updated by the holder of a specific PGP private key.<p>The goal is not to create authority, but to allow others to observe continuity and intent over time without weakening anonymity.<p>I’m sharing this here not as a product launch, but as a concrete exploration of what service design looks like when privacy is treated as a non-negotiable requirement.<p>I’d be interested in hearing from people who have built Tor-only systems, or who considered this approach and decided against it.<p>Thanks for reading.