Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce support for Single Onion Service #1801

Open
fpietrosanti opened this issue Oct 30, 2016 · 5 comments
Open

Introduce support for Single Onion Service #1801

fpietrosanti opened this issue Oct 30, 2016 · 5 comments
Labels
F: Security T: Enhancement

Comments

Assignees
No one assigned
Labels
F: Security T: Enhancement
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@meejah @evilaliv3 @fpietrosanti
@fpietrosanti
Copy link
Collaborator

@fpietrosanti fpietrosanti commented Oct 30, 2016

Tor is now supporting Single Onion Service as a way to enable:
a. Secure transport using OR protocol in-place of TLS
b. Denial of Service Resiliency
c. Much better performance in terms of reachability, latency and troughput

but without the "Location Anonymity" of commonly known "Tor Hidden Services".

Ref: https://lists.torproject.org/pipermail/tor-dev/2016-October/011541.html

This ticket is to introduce support in GlobaLeaks for Single Onion Service as a configuration settings, enabling the Onion Service as a default transport along with HTTPS.

With this ticket the proposal is to have Single Onion Service by default, giving the option to increase the security enabling "Location Anonymity" from the web interface (and in the wizard) as a specific security improvement.
@evilaliv3
Copy link
Member

@evilaliv3 evilaliv3 commented Oct 31, 2016
edited

Finally!

As by the changelog this i now included in the tor alpha version for 0.2.9 (https://blog.torproject.org/blog/tor-0293-alpha-released-important-fixes) the two settings to be applied are:

HiddenServiceSingleHopMode 1
HiddenServiceNonAnonymousMode 1

@meejah would this configuration being doable with txtorcon by using the TCPHiddenServiceEndpoint of version 0.14.2? we could use only this version because it is the only one included in ubuntu xenial / debian stretch

@fpietrosanti
Copy link
Collaborator Author

@fpietrosanti fpietrosanti commented Oct 31, 2016
edited by evilaliv3

Imho the relevant point is to include by default Tor onion service transport because of the security/encryption property of OR protocol, making the "location anonymity" property an extended feature that an admin may wish to enable in a opt-in way.

Thinking generally that if we re-work a bit / communicate in a different way the different functionalities provided by Tor in a "security oriented" rather than an "anonymity oriented" way, it could be easier to push it as a standard technology also in institutional/enterprise environment.

@evilaliv3
Copy link
Member

@evilaliv3 evilaliv3 commented Oct 31, 2016

i agree.

this could be communicated in the wizard with some presets guiding the user on the differences.

@meejah
Copy link

@meejah meejah commented Oct 31, 2016

You can't include arbitrary options in the endpoint-strings, but you can change any valid Tor option via a TorConfig instance either after the fact or before you call .listen on the endpoint.

If you're using TCPHiddenServiceEndpoint.global_tor(...) then you can get the corresponding config object (either before or after you've made the endpoint) via .get_global_tor() and then change any config options and call .save(). "Global" in this case means to the python process.

@meejah
Copy link

@meejah meejah commented Oct 31, 2016

p.s. if you're using serverFromString("onion:...") you're using global_tor under the hood

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment