Onion-routing for The Free Software Foundation Europe #60
Comments
Kreyren
changed the title
Kreyren
changed the title
|
+1 for alecmuffett's EOTK which (IIRC) can handle all the hairy rewrites where something is served from the .onion but has a href for the clearnet site etc. I've had a quick look at the source of e.g. https://fsfe.org/ and the URLS look to be relative so you don't need to run TLS on the .onion as you can have you https clearnet site serve an If your Tor daemon and httpd are not on the same host then this approach cannot be recommended without additional transport security between the nodes (e.g. assumptions made around secure cookies and the equivalence of HTTPS/.onion). FWIW When I last purchased a .onion EV it was only about £250-£300 from Digicert (by way of the now defunct CertSimple) but this is still quite a chunk of cash. How many webservers are involved in running the current websites? Can they run the Tor daemon locally? |
Can you eleborate on the implementation using EOTK? I was discussing the implementation with alec, but it seems that he's currently busy and unable to answer. FWIW the websites seems to be explicitly using relative links so there shoudn't be any references to the domains with exception for the gitea instance https://git.fsfe.org that currently requires nginx changing the links in https://git.dotya.ml (where i was helping with implementation). Hoping for a more maintainable way to manage it here. O.o
The websites are managed by team "System-Hackers" (https://git.fsfe.org/fsfe-system-hackers) who didn't made a decision on the implementation yet, but i understood that they want everything running in a jail (e.g. chroot) or in a VM. So i think it's a sane to implement these in this spirit e.g. my current effort https://git.fsfe.org/kreyren/fsfe-planet/src/branch/onionz/docker-compose.yml.
Yep, but still it's not very economical for non-profit foundation and i want to keep the cost low ideally.
List of websites is provided in OP where it's a lot of services where system efficiency and security is a concern. FWIW i've requested more information from system hackers they are expected to provide more info shortly. |
|
Effort to implement this in the webserver tracked in https://git.fsfe.org/fsfe-system-hackers/webserver-bunsen/pulls/7, currently waiting for decision from system hackers. |
|
Proposals to adapt apache server in bunsen to provide an onion service by stripping TLS over onions appreciated. Came up with http://ix.io/2MY9 so far, but i lack the research atm. |
|
|
Implemented |
On the web meet-up at 19/01/2021 18:00~21:00 CET the web team agreed 5/0 to support onion-routing for The Free Software Foundation Europe's websites.
The support is now being forwarded to the system hackers team that will take care of the implementation where this issue hopes to make the implementation easier for them.
The onion-routing is currently expected for the following websites:
Note the maintenance overhead and efficiency of the implementation is a concern.
(D)DoS is a concern - The services are generally static websites to they can handle large (D)DoS attacks, but that doesn't apply to gitea that was taken down this way recently.
We want to provide both clearweb and onion services.
The websites are using Let's Encrypt TLS certificate.
HTTP header
onion-locationTor Browser Bundle (TBB) will (depending on the user configuration) show a button
Or redirects automatically when the websites provides an onion service.
Configurable in TBB's
about:preferences#privacyusing:Relevant: https://tb-manual.torproject.org/onion-services/
Load balancing (Help-wanted)
Current requirement by system hackers.
Onion-balance https://gitlab.torproject.org/asn/onionbalance?
FSFE webserver
This is the FSFE webserver used to serve the websites https://git.fsfe.org/fsfe-system-hackers/webserver-bunsen
1. Issue - Certificate
Since the clearweb is providing a certificate this is a concern for the onion service which currently seems to require a payment of 2000 USD/year for EV certificate on onion top-level domains.
NOTE: The clearweb version depends on encryption for security and privacy reasons.
Why do we need Extended Validation Certificate?
FIXME
Solution 1: EOTK wizardry? (alecmuffett/eotk#86)
(BEST) Solution 2: Reverse proxy such as apache, nginx, openbsd's relayd to strip the TLS?
This is assuming following configuration of the FSFE servers:
Where the fsfe.org seems to be using Apache based on https://fsfe.org/contribute/web that should be painless to implement.
References:
Solution 3: Same Origin Onion Certificate (SOOC) https://github.com/alecmuffett/onion-dv-certificate-proposal/blob/master/text/draft-muffett-same-origin-onion-certificates.basic.md
This solution is in works and not yet implemented.
Solution 4: Buy EV certificate for onion top-level domain
Not an option as it's not economical for non-profit organization (seems to cost 650~2000 USD/year?)
Relevant: letsencrypt/boulder#4620
<More options appreciated!>
2. Issue - Denial of Service over Onion
TBD
Reference: https://blog.torproject.org/stop-the-onion-denial
The importance of non-anonymous service
We want the onion-service accesible by public so it should be set as non-anonymous one-hop service, see https://support.torproject.org/glossary/single-onion-service/
Rationale to implement onion-routing
community/community#2843
Example configuration
Propublica: https://gist.github.com/mtigas/9a7425dfdacda15790b2 (nginx)
Sanity-checking
There is a tool called onionscan that will process the website to look for issues https://onionscan.org/
RECOMMENDATION: Implement as Quality Assurance
Relevants
The text was updated successfully, but these errors were encountered: