You are not logged in.

#1 2016-08-02 15:16:46

ilf0
Member
Registered: 2012-05-12
Posts: 12

Tor Hidden Services

Debian how has most of their services available as Tor Hidden Services: https://onion.debian.org/
The reasons are simple:

The freedom to use open source software may be compromised when access to that software is monitored, logged, limited, prevented, or prohibited. As a community, we acknowledge that users should not feel that their every action is trackable or observable by others. Consequently, we are pleased to announce that we have started making several of the various web services provided by both Debian and Tor available via onion services.

While onion services can be used to conceal the network location of the machine providing the service, this is not the goal here. Instead, we employ onion services because they provide end-to-end integrity and confidentiality, and they authenticate the onion service end point.

I would love for Arch to also provide many services as Hidden Services: Website, Wiki, Forums, …

Debian also provides torified download mirrors, via apt-transport-tor and tor+http://vwakviie2ienjx6t.onion/debian
Right now none of these Arch pages even mention Tor:

Let's also embrace Tor! What do you think?

Offline

#2 2016-08-06 20:23:25

post
Member
Registered: 2015-02-15
Posts: 31

Re: Tor Hidden Services

Nobel idea, but similar to creating comp.os.linux.archchlinux I guess there's not enough interest.

Last edited by post (2016-08-06 20:26:19)

Offline

#3 2016-08-06 20:38:02

headkase
Member
Registered: 2011-12-06
Posts: 1,983

Re: Tor Hidden Services

If Linux in general is somehow classified as "subversive" then we'll have a lot more problems than moving to Tor would solve.

Offline

#4 2016-12-04 14:01:30

Pineman13
Member
Registered: 2016-12-04
Posts: 26

Re: Tor Hidden Services

I think that the whole Tor-thing is a pretty nice one for Deb-based. If they manage to push it and successfully integrate into the big three of mainstream linux, it'd be great for Tor network(hopefully). But at the same time it involves tons of bandwidth overhead, right? To whichever mirror there is that will be providing such services.
But it sounds great to me, I'd like to move on from https to something even less transparent. Which, to be honest, is a big feature of Arch on it's own. Most Debian mirrors don't even support https, let alone - encourage their users to switch to it.

Offline

#5 2016-12-04 14:58:48

Xyne
Administrator/PM
Registered: 2008-08-03
Posts: 6,965
Website

Re: Tor Hidden Services

The freedom to use open source software may be compromised when access to that software is monitored, logged, limited, prevented, or prohibited. As a community, we acknowledge that users should not feel that their every action is trackable or observable by others.

I truly appreciate the philosophy and motivations behind such onion sites but their practical value is limited for the client in the dire circumstances you describe. If you live somewhere that has become so repressive as to block open source software, you can expect Tor to be blacklisted at the ISP level. At the very least, using Tor under such conditions will only draw unwanted attention to you as a potential subversive. It's like walking into a bank with your face covered because they have cameras everywhere. It won't end well, even if nobody can immediately identify you.

The value of hidden sites for clients is that we can access them without being monitored. Private and untrackable communications between individuals is critical for a free and open society. Making this the norm has the potential to make people aware of the value of such communications, but it may also just accelerate the crackdown on private communication and encryption.

From a practical perspective, I believe that it would be very useful to have an onion site for obtaining the digital signatures of the installation medium along with signatures of the keyring and other critical packages. Once you have those, you can (relatively) safely install signed packages without fear of tampering. Overall, this may deter some isolated cases of attempted tampering. On the other hand, running mirrors through Tor would lead to even more congestion of the Tor network with no immediate tangible benefit (package integrity is already guaranteed by the signatures, Tor will be slow, using Tor is more suspicious than using FOSS).

Access to the forum, wiki and AUR via an onion site may also be useful. Even if these are currently secured with HTTPS, the HTTPS model of trusting third-party certificate authorities that can be "coerced" (read: who happily agree with state agent's requests) is broken. At least a verified onion site would reduce (eliminate?) the risk of a MITM attack when accessing these sites. Of course, if you are at the point that someone with the power to do so is actively trying to MITM you via corrupt certificates, you probably have more to worry about than configuring your system.


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#6 2016-12-17 14:37:25

ilf0
Member
Registered: 2012-05-12
Posts: 12

Re: Tor Hidden Services

1. There is no congestion of the Tor network. That existed many years ago, but not any more. Now, only half the advertised bandwidth is actually used: https://metrics.torproject.org/bandwidth.html

2. I already use Pacman with Tor: https://wiki.archlinux.org/index.php/tor#Pacman

3. Package signatures provide package integrity, but not *anonymity*. An attacker could be interested in *monitoring* a user, trying to find out installed packages and update cycles. Due to timing and bandwith correlation attacks, TLS does not sufficiently solve this. Tor does.

4. A Tor Hidden Service provides another layer of confidentiality and anonymity. I really think these are valuable features to provide and use.

5. Not every mirror must do this. But it's a nice option. And it is *very* easy to set up: https://www.torproject.org/docs/tor-hid … ce.html.en

I would love to see a mirror provide a Tor Hidden Service, or a few. smile

Offline

#7 2016-12-17 18:17:04

Pineman13
Member
Registered: 2016-12-04
Posts: 26

Re: Tor Hidden Services

Hey, to be honest - what about it? I mean the mirror? Many of the Debian mirrors are provided by some volunteer-organizations or even individuals. Why should Arch be so very different?
Perhaps somebody with enough computing power(storage capacity) should try and do so? And then nominate for the provider of Torified services?

Offline

#8 2017-02-04 03:54:00

rexx
Member
Registered: 2017-02-04
Posts: 10

Re: Tor Hidden Services

Onions are essential.

Mods/Admins, please chime in. How do we get the ball rolling?

"For instance, when users connect to the onion services... they can be certain that their connection to the (server) cannot be read or modified by third parties, and that the (server) that they are visiting is indeed the (Arch) website. In a sense, this is similar to what using HTTPS provides. However, crucially, onion services do not rely on third-party certification authorities (CAs)."

https://bits.debian.org/2016/08/debian- … vices.html
https://guardianproject.info/2016/07/31 … -services/
https://wiki.debian.org/TorifyDebianServices

Offline

#9 2017-02-04 19:59:28

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 7,358

Re: Tor Hidden Services

rexx wrote:

Mods/Admins, please chime in. How do we get the ball rolling?

By setting up and hosting your own server, of course.

No sarcasm intended, but that's how open source works (Arch included). Actually I don't think Arch devs could exert this sort of control on the vast majority (all?) of our mirrors, even.....


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

#10 2017-02-04 21:02:58

rexx
Member
Registered: 2017-02-04
Posts: 10

Re: Tor Hidden Services

ngoonee wrote:

By setting up and hosting your own server, of course.

Fair enough.

But wouldn't it be trivial for existing mirror operators to simply $(pacman -S tor) and point the onion at their existing mirrors? Even if only the Core and Extra repos had 1 onion mirror each, this would be a great achievement.

Offline

#11 2017-02-05 03:58:07

x33a
Forum Fellow
Registered: 2009-08-15
Posts: 4,587

Re: Tor Hidden Services

Again, as ngoonee mentioned, mirror admins are not under our control. Though if you want, you can contact some of the mirror admins and try to convince them wink

Offline

#12 2017-03-15 05:57:02

anschelsc
Member
Registered: 2015-06-12
Posts: 3

Re: Tor Hidden Services

As I understand it, Tor hidden services protect the servers; Tor clients are already protected just by using Tor. So if you're accessing the mirrors through Tor already, how would having an onion mirror make any difference?

Offline

#13 2017-03-15 13:43:11

ilf0
Member
Registered: 2012-05-12
Posts: 12

Re: Tor Hidden Services

anschelsc wrote:

As I understand it, Tor hidden services protect the servers; Tor clients are already protected just by using Tor. So if you're accessing the mirrors through Tor already, how would having an onion mirror make any difference?

The very first post quotes Debians announcement, which makes clear that this is not about hiding (or otherwise "protecting") the servers:

While onion services can be used to conceal the network location of the machine providing the service, this is not the goal here. Instead, we employ onion services because they provide end-to-end integrity and confidentiality, and they authenticate the onion service end point.

Offline

#14 2021-07-22 23:31:30

yodawins
Member
Registered: 2021-07-22
Posts: 2

Re: Tor Hidden Services

This could be a good thing and should be considered. Maybe some good PR will come out of this too (as a bonus). BTW: Arch Linux is listed at https://privacytools.io/operating-systems/

Offline

Board footer

Powered by FluxBB