Forcing Onion Connections on whonix.org

From Whonix

Dumbbell-940375640.jpg

Introduction[edit]

Info Note:

Consistent use of the Whonix ™ onion service affords several benefits. It provides alternative end-to-end encryption which is independent from SSL certificate authorities and the mainstream Domain Name System and it also reduces the load on Tor exit nodes.

The onion domain of Whonix ™ is dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion.

dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion

Or in machine readable format (API), here is a raw link that only shows the onion: raw

To use .onion services when browsing whonix.org follow the links below to the Whonix ™ homepage, forums, download, debian repository, issue tracker, or the Whonix ™ Debian repository.

Two choices regarding an optional user rule:

  • A) If using: Configuration of an optional user rule might be useful to further enforce using Whonix ™ .onion address and avoid ever being redirected to the clearnet version due to technical imperfections.
  • B) It not using: Note that if a user rule is not configured, some resources from the clearnet whonix.org address might be utilized when navigating the onion address. [1] Also note that on a few occasions in the past it was not possible to log in to the Whonix ™ forums using the onion address. [2] [3]

Onion-Location: Tor Browser 9.5 and later features, an opt-in for using onion sites automatically for participating websites. The system administrator of individuals websites can choose to configure this. [4] Direct connects to onion services are harder to track than the opt-in method, which must make DNS requests and web server connections from an exit node before being able to switch to the onion service. The whonix.org is participating, setting the Onion-Location header.

HTTPS Everywhere User Rules[edit]

Requirements[edit]

  • The user must have Tor Browser installed, which is the default in Whonix ™.
  • A recent (non-ancient) Tor version. [5]

Background[edit]

HTTPS Everywhere by EFF is a browser add-on produced as a collaboration between the Tor Project and the EFF. It uses clever technology to automatically force encrypted communications (HTTPS) on many major websites (where it is offered), preventing the user from browsing the HTTP (insecure) version. However, HTTPS Everywhere supports user rules, and it is not limited to HTTP(S). This means the user can configure it to rewrite requests from the .org extension to .onion domains instead! [6]

HTTPS Everywhere is now in maintenance mode and planned for deprecation. [7]

Adding User Rules[edit]

Using "HTTPSEverywhereUserRules" directory for user rules is no longer supported. HTTPS Everywhere developer jeremyn clearly stated [8]:

HTTPSEverywhereUserRules/ is not supported with WebExtensions and won't be supported.

Now that Firefox uses WebExtensions, rules must now be added from the HTTPS Everywhere GUI. The Whonix ™ homepage is used in this example. Please note it may be necessary to repeat the steps below for redirection of Whonix ™ forums.

Info Platform Specific Notice:

Inside Whonix-Workstation ™.

  1. Go to the site. (https://www.whonix.org)
  2. Select the "hamburger" icon on the far right of Tor Browser's toolbar and select "customize". Add the HTTPS Everywhere icon to the toolbar. You can remove it later, when you are finished.
  3. Once the site has loaded, click the blue HTTPS Everywhere icon in the upper corner of Tor Browser and select "See more".
  4. Click on "Add a rule for this site".
  5. Click on "Show advanced" under the host field. For each user rule set two fields require editing.
  6. Change "matching regex" from ^http:// to ^https?:// so redirects work from both HTTP and HTTPS. If this value is not changed, redirects can be broken (because the default rule set in the extension already has a rule that redirects from HTTP).
  7. Change "redirect to" to the onion address you want to use. (http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/)
  8. Click "Add a new rule for this site" and refresh the page. If configured correctly the page should now redirect automatically. Be mindful that multiple rules may be needed for an address to work completely. In that case, it is necessary to repeat this process.

What if I made a mistake or the rule won't work?
Broken or unwanted rules can be removed by managing the HTTPS Everywhere extension from the add-ons menu.

Technical information: user rules are stored in a sqlite3 binary file that cannot be edited using a text editor. While it might be possible to edit this file, instructions to do this fall outside the scope of this wiki. Therefore it is recommended that users create periodic backups of this file so it can be restored to its previous state in the event of a broken redirect or if a mistake is made.

If this file is deleted it will be re-created to its defaults on the next browser start. The file is stored in: /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/storage-sync.sqlite. A rule will look something like this:

{"host":"www.whonix.org","redirectTo":"http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/","urlMatcher":"^https?://www\\.whonix\\.org/"},

A trailing comma and space as shown above will appear if there are multiple rules. As a reminder be sure to create a backup of this file before making any changes.


What if I am using a DispVM in Qubes-Whonix ™?
Any changes to the HTTPS Everywhere user rule file will revert to the defaults after the DispVM is stopped. It is necessary to complete these steps again when a new DispVM is launched, unless the DVM template is customized.

Other Rules[edit]

Other similar rulesets -- like those found on the Darkweb Everywhere github page -- do not work either, since they also depend on using the "HTTPSEverywhereUserRules" directory.

Forum Discussion[edit]

See Also[edit]

Footnotes[edit]

  1. The reason is MediaWiki and discourse are using the primary Whonix ™ https domain. These webapps do not support multiple domains for the same website. See also Web Application Shortcomings and Privacy on the Whonix ™ Website.
  2. https://forums.whonix.org/t/onion-forum-broken/8870
  3. This suggests the Whonix ™ forums onion address could become (temporarily) inaccessible in the future.
  4. v3 onion connections require Tor v3.2 or above.
  5. Because of the way most popular web applications are written, they expect to be at one location, for example forums.whonix.org, and not at multiple locations. That is why this workaround is needed. https://forums.whonix.org/t/whonix-blog-inaccessible-through-hidden-service
  6. See details here: https://github.com/EFForg/https-everywhere/issues/14375#issuecomment-359449102