The Tor Project is switching to Rust

Original Article ↗ Hacker News Discussion ↗

Language choice & “right tool” framing

  • Many commenters support the move if it solves Tor’s real pains, emphasizing “right tool for this project” over “language X is universally better.”
  • Some argue the rationale given (memory safety, maintainability) applies to many network-facing, security-critical apps, not just Tor.
  • Others are tired of “rewrite in Rust” stories, suggesting similar impact could come from profiling, dependency trimming, or refactoring in-place.

Security, memory safety, and Rust vs C

  • Supporters: Tor’s threat model (untrusted data, state-level attackers, long-lived C code) makes memory safety and strong static analysis particularly valuable. Rust’s type system, ownership model, and pattern matching are seen as major wins.
  • Skeptics:
    • Point out Rust still has unsafe, logic bugs, supply-chain risk, and doesn’t replace formal verification.
    • Note Tor’s historical C vulnerabilities don’t show many severe remote exploits; most past issues were logic bugs.
  • Several note Rust’s safety gains are real but often overstated or used as marketing; formal methods (SPARK, CompCert, etc.) still provide stronger guarantees for truly critical components.

Performance and Tor’s slowness

  • Consensus that Tor’s speed is dominated by network and anonymity constraints (multiple hops, TLS, exit bottlenecks), not language choice.
  • A few hope Rust might indirectly help explore new protocol optimizations faster, but expectations of raw speedup are low.
  • Some joking/sarcastic suggestions about reducing hop count are rebutted as destroying anonymity.

Rewrites, Arti, and migration strategy

  • Commenters note this is a multi‑year effort (Arti started ~2020, 1.0 in 2022), not a sudden switch.
  • The rewrite is framed by Tor as necessary because the old C codebase was hard to safely evolve, not as anti‑C rhetoric.
  • Examples from other projects (fish shell, TypeScript, browsers) are used to argue that full rewrites can work if staged and carefully managed.

Ecosystem, tooling, and portability concerns

  • Pro‑Rust points: good library ecosystem, easier to embed as a library, strong Windows support, better ergonomics than legacy C/C++ build systems.
  • Concerns:
    • Heavy dependency trees and npm‑like supply‑chain risk.
    • Compiler/toolchain churn and older/obscure platform support (old macOS, OpenBSD i686, exotic architectures).
    • Fear that Rust will “creep everywhere,” forcing more people to adopt new toolchains.

Alternatives, culture, and hype

  • Some ask “why not Go” (GC, simpler, more devs); others respond that Rust’s low‑level control and C interop fit Tor’s needs better.
  • Several threads lament Rust “cultishness” vs. defenders who see criticism as overblown; broader frustration with industry-wide rewrite/hype cycles recurs.

Tor operations & fingerprinting

  • Practical advice: run relays or bridges instead of exits to avoid legal trouble while helping the network.
  • Separate discussion on browser fingerprinting tools finds Tor Browser (especially with JS off) among the strongest at resisting tracking, though some question test methodologies.