Hosting Location Hidden Services

From Whonix
Jump to navigation Jump to search

Anonymous Hosting, Comparison Table of Tor Onion Services, VPN with Remote Port Forwarding, PageKite and Anonymous Third Party Hosts

Introduction[edit]

This page discusses and compares the different kinds of hosting options utilizing location/IP hidden servers. It is possible to host anonymous services such as web sites either:

  • at home using Tor Onion Services;
  • at servers you physically own; or
  • using (free) services provided by third parties, such as free .onion web space, VPS servers, web space and so on.

The five most common methods of running location hidden servers includes: Tor Onion Services, using a VPN provider with remote port forwarding, local host tunneling such as PageKitearchive.org (which makes your local host a server), .onion webspace, and via anonymous third party hosts.

An overview of these methods and a comparison table is provided below. Readers who are unsure of which method to use are recommended to review Tor Onion Services, since they are the easiest to configure and provide the strongest anonymity.

Anonymous Hosting Overview[edit]

Tor Onion Services[edit]

Onion Services provide a number of benefits. First, they are censor resistant which means that nobody can take the .onion domain offline unless they compromise the host and / or perform a successful flood attack. [1] In addition, Onion Services are accessible over tor2web over http, although this is not as censor-resistant as the .onion domain itself.

Onion Services are also free and do not require any registration to run (no sign up is required). Further, they do not require any additional software other than the server software that will be run anonymously. Onion Services are flexible insofar as they can easily be run at home, on any server physically owned, or on (anonymous) third party hosts.

VPN with Remote Port Forwarding[edit]

The level of censorship resistance afforded by VPNs depends on the specific provider used. While services will be reachable by a wider audience (clients) because Tor is not required, there are probably no free VPN services providing Remote Port Forwardingarchive.org.

Unlike Onion Services, registration/sign up is very likely required which is a challenge to maintaining anonymity. On the upside, this configuration can be run at home, on any server physically owned, or on (anonymous) third party hosts.

PageKite[edit]

PageKitearchive.org is another alternative service which has been tested inside Whonix-Workstation, and is functional out of the box (although less tested by Whonix developers).

PageKite is a subscription-based service, but is free for Free Software authors; application for a free account is required. Further, it is necessary to comply with the PageKite terms of servicearchive.org, register, and provide an (anonymous) E-Mail address.

Besides this entry, there is no documentation for pairing PageKite with Whonix. However, it is relatively simple to use and their service is well documented; see Running PageKite over Torarchive.org and the footnotes. [2]

Anonymous Third Party Hosts[edit]

There are many so-called offshore or anonymous hosting companies. Most of these hosting companies do not really offer anonymity because they usually require valid registration data (real name etc.), forbid registration over Tor and/or do not offer anonymous payment methods.

The ones listed in the following list are Tor user-friendly, accept anonymous registration and can be paid anonymously with Bitcoin or prepaid cards. (List deprecated.archive.org) Also note:

  • There are some free .onion web hosting services, as well as paid ones.
  • Anonymous VPS servers also exist, but none are free; this necessitates use of anonymous money.

Comparison Table[edit]

Table: Hosting Configuration Comparison

Tor Onion Services VPN with Remote Port Forwarding PageKite .onion Webspace Anonymous Third Party Hosts
Accessible over clearnet http(s) tor2web only Yes Yes tor2web only Yes [3]
Accessible over Tor .onion Yes No No Yes Yes, if Tor is installed.
Attack against server software (lighttpd, etc.) Fail [4] Fail [4] Fail [4] Safe [5] Safe [5]
Attack against Tor (onion services) Fail [4] Fail [4] Fail [4] Safe [5] Safe [5]
Clearnet domain censor resistance Depends on tor2web legislation. Depends on domain registrar legislation.
  • When using PageKite domain: Depends on PageKite legislation.
  • When using own domain [6]: Depends on domain registrar legislation.
Depends on tor2web legislation. Depends on Anonymous Third Party Hosts legislation.
No anonymous money required Yes No (?) Depends Depends No
No need to register Yes No No No No
.onion domain censor resistance Highest There is no .onion domain. There is no .onion domain. Depends on .onion webspace host. [7] Depends on Anonymous Third Party Hosts. [7]
Online, when you are offline No, only online as long as your server is online. No, only online as long as your server is online. No, only online as long as your server is online. Yes [8] Yes [8]
Price Free Paid only (?) Depends Some are free Paid only
Server administrator cannot take away the clearnet domain. No, tor2web can. [9] Yes Depends.
  • Domain by PageKite: No [9]
  • Own domain: Yes
No, tor2web can. [9] No [9]
Server administrator cannot take away the .onion domain Yes, you are the administrator. There is no .onion domain. There is no .onion domain. No, they must have private keys for .onion domain to make the service work. No
Services other than web Yes Yes Yes No Yes
Further reading Tor Onion Services - PageKitearchive.org - -

Conclusion[edit]

Based on the preceding overview and comparison table, each method of running location hidden servers has both advantages and disadvantages.

Tor onion services provide the greatest number of advantages. It is unnecessary to learn about and obtain anonymous money, which is a difficult endeavor on its own. Further, trust is not placed in third parties; you only need to rely on your own skills in setting up a server. Also nobody can censor the server, and there is no registration nor limiting terms of service.

On the downside, if an adversary compromises the onion service it is game over. This can occur via a successful attack against Tor onion services, the server software, and by breaking out of Whonix. Onion services are also only accessible over .onion (visitors need Tor) and tor2web is not indexed by search engines. Finally, Tor onion services are only online as long as the server is online.

In comparison, a free (or paid) .onion webspace host can steal the domain at any time and take it over. On the other hand, it is unnecessary to worry about server security and successful attacks against the Tor onion service will not lead to your location or IP address.

Finally, anonymous third party hosts for VPS hosting involve anonymous money, which is difficult on its own. However, they can provide clearnet domains and/or the service can be used to host Tor onion services. Also, there is no concern about server security and successful attacks against Tor onion services will not lead to your location or IP address.

See Also[edit]

References[edit]

  1. See Thirteen years of Tor Attacksarchive.org for a description of flood and other attacks against Tor.
    • Instead of localhost it is possible to use the Whonix-Gateway IP 10.152.152.10 and a custom port such as 9159, that is replace "--torify=localhost:9050" with "--torify=10.152.152.10:9159".
    • Alternatively, the "--torify" switch can be dropped and the default PageKite GNU/Linux tutorial instructions followed, since misc traffic in Whonix-Workstation is automatically routed through Tor's TransPort.
    • See Stream Isolation for an explanation of misc traffic, custom Socks Ports, and Tor's TransPort in Whonix.
  2. Yes, if you buy a domain.
  3. 4.0 4.1 4.2 4.3 4.4 4.5 Fail - it would deanonymize you.
  4. 5.0 5.1 5.2 5.3 Safe - you are still anonymous. The domain may be lost.
  5. https://pagekite.net/wiki/Howto/CnamePageKites/archive.org
  6. 7.0 7.1 The administrator can and will most likely see what users are doing on their server and decide accordingly.
  7. 8.0 8.1 Besides server downtime, in which case you can do nothing but wait until the host has fixed it.
  8. 9.0 9.1 9.2 9.3 They must do so, if they are forced by legislation or other reasons.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!