Debian and Tor Services available as Onion Services | The Tor Project
We, the Debian project and the Tor project are enabling Tor onion services for several of our sites. These sites can now be reached without leaving the Tor network, providing a new option for securely connecting to resources provided by Debian and Tor.
The freedom to use open source software may be compromised when access to that software is monitored, logged, limited, prevented, or prohibited. As a community, we acknowledge that users should not feel that their every action is trackable or observable by others. Consequently, we are pleased to announce that we have started making several of the various web services provided by both Debian and Tor available via onion services.
While onion services can be used to conceal the network location of the machine providing the service, this is not the goal here. Instead, we employ onion services because they provide end-to-end integrity and confidentiality, and they authenticate the onion service end point.
For instance, when users connect to the onion service running at http://sejnfjrq6szgca7v.onion/ using a Tor-enabled browser such as the TorBrowser, they can be certain that their connection to the Debian website cannot be read or modified by third parties, and that the website that they are visiting is indeed the Debian website. In a sense, this is similar to what using HTTPS provides. However, crucially, onion services do not rely on third-party certificate authorities (CAs). Instead, the onion service name cryptographically authenticates its cryptographic key.
In addition to the Tor and Debian websites, the Debian FTP and the Debian Security archives are available from .onion addresses, enabling Debian users to update their systems using only Tor connections. With the apt-transport-tor package installed, the following three lines can replace the normal debian mirror entries in the apt configuration file (/etc/apt/sources.list):
deb tor+http://vwakviie2ienjx6t.onion/debian jessie main
deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main
Likewise, Tor’s Debian package repository is available from an onion service :
deb tor+http://sdscoq7snqtznauu.onion/torproject.org jessie main
Now, my question. Since:
1. Whonix GW and Whonix WS templates show we have the apt-transport-https package installed:
dpkg --get-selections | grep apt
apt-transport-tor install
AND
2. /etc/apt/sources.list.d/debian.list shows:
deb http://security.debian.org jessie/updates main contrib non-free
deb http://ftp.us.debian.org/debian jessie main contrib non-free
Can we simply (and safely) replace the following onion addresses in both templates under a new user.list file as follows?
deb tor+http://vwakviie2ienjx6t.onion/debian jessie main
deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main
I assume Whonix 14 will update the apt and other sources lists automatically to available .onion addresses so we can benefit from this major security improvement?
Man-in-the-middle attacks are common when using Whonix, as the documentation notes in various places.