Actions

Onion Services

From Whonix

(Redirected from Hidden Services)


Tor Onion Services - EASY[edit]

Introduction[edit]

Be sure to read and understand Tor: Onion Service Protocol [archive] (general information) and Configuring Onion Services for Tor [archive] (standard setup, no isolated proxy) first. Note that onion services are always only reachable using Tor or tunnel services, such as tor2web, (be careful [archive]). Also review Riseup's Tor Hidden (Onion) Services Best Practices guide [archive].

You do not need SSL [1], because connections to Tor onion services are end-to-end encrypted by default. [2][3] This is handy, as you do not have to bother with self signed certificates or certificate authorities.

Another interesting property is they can serve as a drop-in Global Server Load Balancing and Layer 3 DDoS-resistance solution.[4] This raises the bar to withstanding attacks that the entire Tor network can tolerate. Same with I2P Eepsties. Tor can be also considered a very simple to configure encrypted transport alternative to IPSec.[5]

An adversary can see whether the service (and presumably Tor) is up and running or not.

Even if someone hacks your hidden server software (micro-httpd, nginx, apache, etc.), the attacker can not steal your onion service key or bypass Tor, see Attack on Whonix ™. The key is stored on the Whonix-Gateway ™. Once you cleaned your Whonix-Workstation ™, no one can impersonate your onion service anymore.

Web Server Software Recommendations[edit]

  • Avoid the Apache web server. It has much more functionality, leak potential and attack surface than smaller and lighter alternatives.
    • If you are using the Apache web server, see the following footnotes. [6] [7]
  • If your needs are limited to hosting static pages then look no further than micro-httpd available from Debian repos. It is a bare-bones daemon made up of 150 lines of code.[8]
  • The Nginx web server is a recommended alternative.

Security Recommendations[edit]

  • Credits: Some of these instructions are paraphrased from Sarah Jamie Lewis' write-up after running OnionScan[9] on the Onion web. All credit goes to her.[10] OnionScan[11] is an open source pen-testing suite that exposes misconfiguration errors that expose Hidden Servers. Do run it before your service goes live.
  • Hide IP: IP hiding instructions for your specific server software should be applied.
    • This is because a combination of a webserver that forwards IP addresses to web apps such as for example mediawiki would be a discouraged case, since mediawiki by default puts IPs of anonymous editors in the public accessible editor logs. The IP would be 10.152.152.10. That could not be used to identify you, because that is not your real external IP address, but it would identify the server as an onion service behind a Whonix-Gateway ™.[12]
  • Server Software Hardening: If any instructions for hardening the server instructions are available it is recommended to apply them. While using Whonix ™ we're quite confident that there are no IP/DNS leaks, but hardening the server software is still recommended but the responsibility of the user.
  • Mitigate DoS attacks: Its good practice to setup access to your site through reverse proxies to mitigate layer 7 DoS attacks and information leaks about your setup.
  • Disable Banners: For SSH, FTP, SMTP and HTTP servers which leak info about the a daemon's name and version. If your SSH instance is for private use, use it with an Authenticated Onion Service to protect your server from brute-force and remote exploitation.
  • Dedicated Onion Address: Each service you host should get its own dedicated onion address to prevent correlation between multiple instances running in the same VM.
  • ALPaCA: An advanced website fingerprinting client/server mitigation named ALPaCA in development that applies server-side padding to requests sent out to Tor Browser. Once ts ready, service operators can run it to protect against this class of correlation attacks.[13][14][15]
  • vanguards: protects against guard discovery and related traffic analysis attacks. Soon installed by default in Whonix ™. See Vanguards.

Hidden Webserver[edit]

Whonix-Gateway ™[edit]

On your Whonix-Gateway ™:

Step 1: open Tor config[edit]

On your Whonix-Gateway ™.

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

Step 2: edit Tor config[edit]

On your Whonix-Gateway ™.

(all Whonix ™ platforms)

You need to add two settings to /usr/local/etc/torrc.d/50_user.conf.

  • A HiddenServiceDir configuration directive declaring where onion services files (hostname file and private key file) should be stored.
  • A HiddenServicePort configuration directive declaring,
    • the virtual port and
    • the IP and port of the Whonix-Workstation ™ that will run a server service that processing incoming onion service connections.
  • HiddenServiceVersion configuration directive declaring which onion service versino to use (2 or 3).

On your Whonix-Gateway ™.

To do that, add the following three lines.

Qubes-Whonix ™:

The IP of Qubes-Whonix ™ Whonix-Workstation ™ AppVM needs to be replaced with the actual IP address. To find out the IP address of the Qubes-Whonix ™ Whonix-Workstation ™ AppVM, the following command can be run within the Qubes-Whonix ™ Whonix-Workstation ™ AppVM: qubesdb-read /qubes-ip

Make sure to replace IP-of-q-ws-AppVM with the actual IP address of your Whonix-Workstation ™.

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 IP-of-q-ws-AppVM:80
HiddenServiceVersion 3

Non-Qubes-Whonix ™:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 10.152.152.11:80
HiddenServiceVersion 3

(all Whonix ™ platforms)

Save.

Step 3: Configure Onion Services Authentication[edit]

Optional: authenticated onion services.

Onion services authentication is only possible for private onion services with a limited number of visitors. This is impossible for a public onion service. For a public onion service you should skip this step. Each visitor needs to be provided with a key file. This chapter describes the server side. The client side is described below in chapter Onion Service Authentication Client Setup.

With v3 onions addresses it is no longer possible for adversaries to learn about the existence of v3 onion addresses if these are not published. This was different previously with v2 onion addresses. Therefore, what is the purpose of onion services authentication for v3 onions?

Onions services authentication for v3 onions exist to eliminate the side risks where the onion address is accidentally leaked. This could be for example due to human error, a bug in the software using the onion address or other yet unknown possibilities. By using onions services authentication the onion service could not be accessed even if the onion address was leaked.

Quote: [16]

Also, if you have multiple users, having one v3 address with authentication is much better than multiple addresses, for the following reasons:

  • easier management
  • easier to configure and easier to maintain the application behind it (web server or whatever it is)
  • less resources needed by the Tor daemon
  • less load on your guard(s) / bridge(s), thus more capacity and better experience for your clients / visitors (if you have multiple addresses you need to maintain active introduction point circuits for all of them, publish descriptors, etc.)

These instructions are based on this [archive]. [17] These instruction can be quite difficult but this is not specific to Whonix ™. These instructions are quite difficult anywhere. Whonix is based on Debian and Free Support Principle. [18]

On your Whonix-Gateway ™.

Install basez.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the basez package.

sudo apt-get install basez

The procedure is complete.

Create temporary private key.

openssl genpkey -algorithm x25519 -out private-key.pem

Create temporary public key.

openssl pkey -in private-key.pem -pubout -outform PEM -out public-key.pem

Create temporary file.

cat private-key.pem | \
    grep -v " PRIVATE KEY" | \
    basez --base64pem --decode | \
    tail --bytes 32 | \
    basez --base32 | \
    tr -d '=' > temp1

Steps towards 1.auth_private.

Set file path variable. Modify the path below in case above you did not use what we use as defaults in these instructions HiddenServiceDir /var/lib/tor/hidden_service/. Otherwise if you used exactly as above, no change required. If you changed, you might want to change hidden_service to something else below.

file_name="/var/lib/tor/hidden_service/hostname"

Set onion hostname variable.

hostname="$(sudo cat "$file_name")"

View your onion hostname.

echo "$hostname"

Should show something similar.

bvwxablxzabj4yudgzgooeg55sys2c3li7w5hhnongdm2p62l7hfnvid.onion

Create variable onionname without appendix .onion.

onionname="$(echo "$hostname" | str_replace .onion "")"

View your onion name.

echo "$onionname"

Should show something similar.

bvwxablxzabj4yudgzgooeg55sys2c3li7w5hhnongdm2p62l7hfnvid

Create final 1.auth_private.

echo -n "$onionname:descriptor:x25519:" | \
    cat - temp1 > 1.auth_private

Steps towards 1.auth.

cat public-key.pem | \
    grep -v " PUBLIC KEY" | \
    basez --base64pem --decode | \
    tail --bytes 32 | \
    basez --base32 | \
    tr -d '=' > temp2

Create final 1.auth.

echo -n "descriptor:x25519:" | cat - temp2 > 1.auth

Now we have two files.

  • 1.auth which belongs to onion server in folder /var/lib/tor/hidden_service/authorized_clients/.
  • 1.auth_private which visitors need to be provided with.

It is of course possible to use different file names.

Create folder /var/lib/tor/hidden_service/authorized_clients/.

sudo mkdir -p /var/lib/tor/hidden_service/authorized_clients/

Copy 1.auth to folder /var/lib/tor/hidden_service/authorized_clients/.

sudo cp 1.auth /var/lib/tor/hidden_service/authorized_clients/

Fix owner permissions.

sudo chown --recursive debian-tor:debian-tor /var/lib/tor/hidden_service

Step 4: Denial of Service Mitigation Options[edit]

Documentation for Denial of Service Mitigation Options is incomplete. Contributions are happily considered!

Requires Tor 0.4.25 and above. See https://forums.whonix.org/t/tor-0-4-25-release-how-can-we-upgrade/8614 [archive]

See Tor manual. https://2019.www.torproject.org/docs/tor-manual.html.en [archive] Search for DENIAL OF SERVICE MITIGATION OPTIONS.

Nothing Whonix ™ specific regarding installation from source. As per:

See also: https://forums.whonix.org/t/onion-services-ddos-defense-tor-0-4-2-5/8644 [archive]

Step 5: make changes to Tor config take effect[edit]

On your Whonix-Gateway ™.

Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Whonix-Gateway ™, click HERE for instructions.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid
Step 6: get your onion hostname[edit]

On your Whonix-Gateway ™.

To get your Tor onion service url.

sudo cat /var/lib/tor/hidden_service/hostname

Step 7: backup your Tor onion service private key[edit]

On your Whonix-Gateway ™.

Reminder: Always backup the onion service key. This is necessary in order to restore it on another machine, on a newer Whonix-Gateway ™, after HDD/SSD failure, etc. Follow the instructions below to find its location; root permission is required to access it.

/var/lib/tor/hidden_service/hs_ed25519_secret_key

Qubes-Whonix ™

Use the usual Qubes tools. The following example shows how to copy the /var/lib/tor/hidden_service/hs_ed25519_secret_key from the sys-whonix VM to the vault VM (which should be started beforehand) using qvm-copy-to-vm.

sudo qvm-copy-to-vm vault /var/lib/tor/hidden_service/hs_ed25519_secret_key

The above step copies the Tor onion service private key file to the QubesIncoming folder of the vault VM.

/home/user/QubesIncoming/sys-whonix/hs_ed25519_secret_key

Consider moving the file from the QubesIncoming folder to another preferred location.

Qubes VM Manager can be used to conveniently backup the vault and/or other VMs. Please refer to the Qubes backups documentation for necessary steps to accomplish that.

Non-Qubes-Whonix ™

TODO document
Also see: File Transfer.

Whonix-Workstation ™[edit]

On your Whonix-Workstation ™:

Step 1: Install Server Software[edit]

On your Whonix-Workstation ™.

Either,

A) Run the following commands to install micro-httpd. OR

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the micro-httpd package.

sudo apt-get install micro-httpd

The procedure is complete.

B) Run the following commands to install nginx.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the nginx package.

sudo apt-get install nginx

The procedure is complete.

Step 2: Open Whonix-Workstation ™ Firewall Port[edit]

On your Whonix-Workstation ™.

Modify Whonix-Workstation ™ User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /rw/config/whonix_firewall.d exists.

sudo mkdir -p /rw/config/whonix_firewall.d

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly called anon-whonix)Whonix User Firewall Settings

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSettingsUser Firewall Settings

If using a terminal-only Whonix-Workstation ™, complete these steps.

Open /etc/whonix_firewall.d/50_user.conf with root rights.

sudoedit /etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.

The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix ™, complete these steps.

Qubes App Launcher (blue/grey "Q")Template: whonix-ws-15Whonix Global Firewall Settings

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSettingsGlobal Firewall Settings

If using a terminal-only Whonix-Workstation ™, complete these steps.

In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.

nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf

Add.

EXTERNAL_OPEN_PORTS+=" 80 "

Save.

Reload Whonix-Workstation ™ Firewall.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly named anon-whonix)Reload Whonix Firewall

If you are using a graphical Whonix-Workstation ™, complete the following steps.

Start MenuApplicationsSystemReload Whonix Firewall

If you are using a terminal-only Whonix-Workstation ™, run.

sudo whonix_firewall

Step 3: Final Notes[edit]

Done.

Note, that it may take up to 30 minutes (or so?) until a fresh .onion domain gets reachable.

Note, accessing 127.0.0.1 Local connections are no longer possible due to a change [archive] in Tor Browser by The Tor Project. Check Tor Browser, Local Connections for more information and a workaround..

Debugging[edit]

On Whonix-Gateway ™.

Check permissions.

sudo ls -la /var/lib/tor/hidden_service/

In case you manually restored your hidden_service keys as root, Tor will fail to start. The folder must be owned by debian-tor. In that case, fix the permissions.

sudo chown debian-tor:debian-tor /var/lib/tor/hidden_service/

In Whonix-Workstation ™.

Check if the service is available on 127.0.0.1:80.

## Circumventing Whonix ™ curl stream isolation wrapper.
UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:80

Qubes-Whonix ™: In Qubes-Whonix ™ Whonix-Workstation ™, check if the service is available on Qubes-Whonix-Workstation ™ IP, port 80.

## Circumventing Whonix ™ curl stream isolation wrapper.
UWT_DEV_PASSTHROUGH=1 curl $(qubesdb-read /qubes-ip):80

Non-Qubes-Whonix ™: In Whonix-Workstation ™, check if the service is available on 10.152.152.11:80.

## Circumventing Whonix ™ curl stream isolation wrapper.
UWT_DEV_PASSTHROUGH=1 curl 10.152.152.11:80

Note: Tor Browser will allow connections to 127.0.0.1:80 but not to 10.152.152.11:80.

Tips settings up any onion service[edit]

Please test the example Hidden Webserver above first. It helps understanding this in general and will ease debugging.

Quoted from the Tor manual[19]:

HiddenServiceDir DIRECTORY

Store data files for an onion service in DIRECTORY. Every onion service must have a separate
directory. You may use this option multiple times to specify multiple services. DIRECTORY
must be an existing directory.

Quoted from the Tor manual[20]:

HiddenServicePort VIRTPORT [TARGET]

Configure a virtual port VIRTPORT for an onion service. You may use this option multiple
times; each time applies to the service using the most recent hiddenservicedir. By default,
this option maps the virtual port to the same port on 127.0.0.1 over TCP. You may override
the target port, address, or both by specifying a target of addr, port, or addr:port. You
may also have multiple lines with the same VIRTPORT: when a user connects to that VIRTPORT,
one of the TARGETs from those lines will be chosen at random.

Hidden VoIP Server[edit]

On the VoIP page is an example for a Hidden VoIP Mumble Server.

Tor Onion Services - ADVANCED[edit]

Onion Services Security Enhancements[edit]

See:

How Onion Services Connections Work[edit]

To understand how onion services work, a simple overview of the process is outlined below. [21]

Step 1. Onion services advertise their existence in the Tor network. This is done by randomly picking some relays and building circuits, before asking these relays to act as introduction points by providing the service's public key. The onion server's location (IP address) is shielded.

Step 2. The onion service generates an onion service descriptor containing the public key and a summary of introduction points. This is signed with its private key and then uploaded to a distributed hash table, so users can find the service when searching for a .onion resource. [22] This also forms an important verification mechanism for the user to confirm they are talking to the right onion service.

Step 3. The user who learnt that the .onion resource exists requests more information from the database, by downloading the descriptor from the distributed hash table. If the descriptor exists, the user now knows the introduction points and the right public key to use. The user also creates a Tor circuit to another randomly picked relay to use as a rendezvous point (with a one-time secret).

Step 4. If the descriptor is present and the rendezvous point is ready, the user assembles an "introduce message". This is encrypted to the onion service's public key and includes the rendezvous point address and the one-time secret. The user requests this be delivered to the onion service (via a Tor circuit) anonymously, so the IP address remains hidden.

Step 5. The onion service decrypts the user's introduce message and finds the rendezvous point address and one-time secret in it. The service creates a circuit to the rendezvous point and sends the one-time secret to it in a rendezvous message. The onion service must use the same set of entry guards when creating circuits, to prevent attackers from forcing onion services to use corrupt relays as an entry node (and learning the onion server's IP address via timing analysis).

Step 6. The rendezvous point notifies the user the successful connection has been established. Both the user and onion service use their circuits to the rendezvous point for communication. The rendezvous point relays end-to-end encrypted messages from user to service and vice versa.

Use of .onion addresses leads to a 6 relay arrangement: 3 picked by the user (with the third used as a rendezvous point), and 3 picked by the onion service. The final successful connection between a user and an onion service is represented in the picture below.

Figure: Alice (User) and Bob (Onion Service) Successful Connection [23]

Tor Onion Service Connection Success.png

Onion Services Security[edit]

Not Whonix ™ specific! Talking about Tor in general.

How safe are Tor Onion Services?

This is a difficult question. Therefore state relevant facts, quotes and links here.

Quote Roger Dingledine, an original developer of Tor, tor-talk mailing list: How easy are Tor hidden services to locate? [archive]:

Hidden services are definitely weaker than regular Tor circuits, a) because the adversary can induce them to speak, and b) because they stay at the same place over time. Mostly 'a'.

That said, there are plenty of hidden services out there, and few stories of people breaking their anonymity by breaking Tor. So they're not foolproof for sure, but they're also not trivial to deanonymize.

I'll turn it around, and ask "easy compared to what?"

Goes on [archive].

When you're a Tor client, you only use the Tor network when you choose to access it (e.g. by trying to fetch a web page). So if the attacker has some attack that works only a very small percentage of time, they have to wait for you to initiate connections.

But for a hidden service, they can cause you to initiate a connection just by visiting the hidden service. And they can do it as often as they want.

See http://freehaven.net/anonbib/#hs-attack06 [archive] for the original paper about this topic (and the reason we implemented entry guards).

And then see http://freehaven.net/anonbib/#wpes12-cogs [archive] for a more recent example. The goal of that paper is to understand how long it takes in normal operation (with entry guards going offline and being replaced) before a typical user touches an adversary-controlled guard node. For simplicity, the paper assumes that you use your guards every minute of every day for however many weeks or months it takes. A realistic user doesn't do that, so the paper overestimates the risk. But a realistic hidden service *would* do that, if the adversary caused it to.

--Roger

Onion Service Authentication Client Setup[edit]

Transfer 1.auth_private from onion service provider to client.

Create folder /var/lib/tor/authdir.

sudo mkdir -p /var/lib/tor/authdir

Fix ownership permissions. [26]

sudo chown --recursive debian-tor:debian-tor /var/lib/tor/authdir

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

Paste.

ClientOnionAuthDir /var/lib/tor/authdir/

Save.

Copy 1.auth_private to /var/lib/tor/authdir/.

sudo cp 1.auth_private /var/lib/tor/authdir/

Fix ownership permissions.

sudo chown --recursive debian-tor:debian-tor /var/lib/tor/authdir

Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Whonix-Gateway ™, click HERE for instructions.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

Done.

Notes about End-to-end Security of Onion Services[edit]

Hidden services are not really "end-to-end" encrypted, they encrypted only Tor to End. (or "Tor to Tor") The communication between the browser or server and Tor is sent in clear text. This doesn't really constitute a security issue, as localhost (or Workstation to Gateway on an isolated network), is supposed to be secure. But it has some security implications:

With onion services alone, without TLS enabled, the adversary only needs to compromise Whonix-Gateway ™ to get knowledge of the content of the connection and the clients identity/location. To compromise the content of the connection, the adversary only needs to compromise either the gateway or the workstation.

With onion services, and TLS enabled, an adversary needs to compromise Whonix-Workstation ™ to gain knowledge of the content of the connection. The adversary would have to compromise Whonix-Gateway ™ as well, to gain knowledge of the client's identity/location.

It is possible to use onion services and TLS at the same time, i.e. https://****************.onion [archive]. There are only a very few onion services reachable over TLS. For example https://pad.riseup.net/ [archive] can be reached over https://5jp7xtmox6jyoqd5.onion/ [archive]. But since this only offers benefits to users of Whonix ™ (and other Tor gateway implementations), there is no demand. It would provide some nice defense in depth as it eliminates a single point of failure.

It would open the question, how would the certificate be verified?

That's simple for private sites, where server and clients know each other. They simply verify it over preshared secure channel, for example, a meeting.

And public onion services? It is unlikely, that certificate authorities will give out certificates for .onion sites. Startssl.com declined, because .onion is no .gTLD, see Bug #6116: apply for .onion gTLD at IANA [archive]. Although you could try asking other certificate authorities, if they offer SSL certificates for people who can prove that they own a .onion domain. You can prove, that you have control over the domain by editing its contents on their request.

But CAs should not be relied on anyway. See chapter SSL.

Onion Services with Whonix ™ are still safer than running Tor and the server software on the same host, because even when misconfigured, there can be, by design, no IP or DNS leaks.

See Also[edit]

References[edit]

  1. https://en.wikipedia.org/wiki/Secure_Sockets_Layer [archive]
  2. To be exact, only tor-to-tor, see Notes about End-to-end security of Onion Services.
  3. http://www.quora.com/Is-there-an-SSL-equivalent-for-Tor-Hidden-Services [archive]
  4. https://archive.is/Aaqsz [archive]
  5. https://lists.torproject.org/pipermail/tor-talk/2016-October/042360.html [archive]
  6. It is advised to install libapache2-mod-removeip [archive].

    1. Update the package lists.

    sudo apt-get update

    2. Upgrade the system.

    sudo apt-get dist-upgrade

    3. Install the libapache2-mod-removeip package.

    sudo apt-get install libapache2-mod-removeip

    The procedure is complete.

  7. (Source: old forum [archive]) Stop Apache. In ports.conf:
    NameVirtualHost 127.0.0.1:80
    Listen 127.0.0.1:80
    ServerName localhost
    

    In sites-available/default:

    
    

    Start Apache.

    Now Apache is not listening on 10.152.152.10, but only on 127.0.0.1. So now we somehow need to redirect 10.152.152.10:80 to 127.0.0.1:80.

    It can be done with a firewall rule or netcat:

    sudo ncat -l 10.152.152.10 80 -c 'ncat 127.0.0.1 80'

  8. https://wiki.debian.org/WebServers [archive]
  9. https://mascherari.press/why-onionscan-should-worry-you/ [archive]
  10. https://mascherari.press/thwarting-identity-correlation-attacks/ [archive]
  11. https://github.com/s-rah/onionscan [archive]
  12. Since it is easy to know that the internal LAN IP 10.152.152.10 is usually used by Whonix-Gateway ™.
  13. https://github.com/camelids/ [archive]
  14. Website Fingerprinting Defenses at the Application Layer [archive]
  15. https://www.esat.kuleuven.be/cosic/?p=6743 [archive]
  16. The purpose of Onion Services Authentication has been asked about on the Tor Talk Mailing List [archive]. Answers:
  17. But modified since instructions did not create files 1.auth_private, 1.auth for the user and only echoed these two the shell which most users would not know what to do with.
  18. The only Whonix ™ specific thing below is str_replace, which is only available in Whonix ™. A tool which makes string search and replace easier.
  19. https://www.torproject.org/docs/tor-manual.html.en [archive]
  20. https://www.torproject.org/docs/tor-manual.html.en [archive]
  21. https://www.torproject.org/docs/hidden-services.html.en [archive]
  22. This is currently a 16 character name, but will be increased to 54 characters in the near-medium term to upgrade the cryptographic strength of .onion services. See: https://blog.torproject.org/blog/cooking-onions-names-your-onions [archive]
  23. https://www.torproject.org/images/THS-6.png [archive]
  24. https://www.torproject.org/about/corepeople.html.en [archive]
  25. https://forums.whonix.org/t/cryptolog-for-whonix-website/3369/12 [archive]
  26. We do this here in case the user does not follow through with all instructions to avoid Tor from refusing to start due to broken file permissions. If user follows through, this chown command could be omitted here and be done at the end.


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables [archive]. Please come and introduce yourself in the development forum [archive].

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.