download torbrowser via onion

markolind · August 31, 2020, 6:42pm

No choice (general talk is closed), so I’m using the closest subforum. I still haven’t installed whonix[1].
Anybody knows how to download torbrowser via onion hidden service?
It used to be possible via:

torsocks curl http://rqef5a5mebgq46y5.onion/torbrowser [...]

but there’s nothing there anymore.

I use vanguards, not for OR Tor, my Tor is not a relay or a server. I get 5-6 hops to internal or external destination. It’s way safer.
Because just three hops, the guard, the middle relay and exit node before the clear net… That’s not good enough.

This is important, not just for me.

[1]
I still haven’t installed whonix. See:
http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/on-virsh-whonix-external-failed-to-apply-firewall-rules/9613
which issue I have acutally solved, but…
But some more detailed understanding I want to gain, regarding libvirt, and iptables.
I really highly regard Whonix and I want it, but I am being very careful, I want to do it right.

HulaHoop · September 1, 2020, 12:43pm

Get it here: http://expyuzz4wqqyqhjn.onion/dist/torbrowser/9.5.4/tor-browser-linux64-9.5.4_en-US.tar.xz

markolind · September 1, 2020, 2:09pm

That would download torbrowser, sure. But with a redirection.
Luckily, I did not click it. No way. I used:

torsocks curl

with that link as arg.
And it was “302 Found” redirection to clearnet usual address… Which means… I’m not going to say what it means…

Let me try see if I can post clearly what I got with curl, it’s HTML tags, so I probably need to convert the greater than and less then chars to HTML entities…

markolind · September 1, 2020, 2:12pm

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href=“https://dist.torproject.org/torbrowser/95.4/tor-browser-linux64-9.5.4_en-US.tar.xz”>here</a>.</p>
<hr>
<address>Apache Server at expyuzz4wqqyqhjn.onion Port 80</address>
</body></html>

Yup! Clicking on that link gives you this same link clickable above.
Creators of hidden services do not want to use hidden services… No, they want that whoever downloads TorBrowser, goes through no more than three hops. Fullstop.

Pls. see over here if you haven’t yet:
http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/on-virsh-whonix-external-failed-to-apply-firewall-rules/9613/12
about malicious relays, and figure out how anonymous you might or might not really be, dear reader.

torjunkie · September 1, 2020, 9:19pm

Yes, I see there is a brief redirect with that onion link.

Patrick · September 2, 2020, 9:48am

man update-torbrowser

It has a feature to download over onion.

update-torbrowser --onion

curl --head http://expyuzz4wqqyqhjn.onion/dist/torbrowser/9.5.4/tor-browser-linux64-9.5.4_en-US.tar.xz

HTTP/1.1 302 Found
Date: Wed, 02 Sep 2020 09:43:47 GMT
Server: Apache
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-Xss-Protection: 1
Referrer-Policy: no-referrer
Content-Security-Policy: default-src ‘self’; script-src ‘self’; style-src ‘self’ ‘unsafe-inline’;
Location: https://dist.torproject.org/torbrowser/9.5.4/tor-browser-linux64-9.5.4_en-US.tar.xz
Cache-Control: max-age=3600
Expires: Wed, 02 Sep 2020 10:43:47 GMT
Content-Type: text/html; charset=iso-8859-1

http://expyuzz4wqqyqhjn.onion/dist/torbrowser/9.5.4/tor-browser-linux64-9.5.4_en-US.tar.xz redirects to https://dist.torproject.org/torbrowser/9.5.4/tor-browser-linux64-9.5.4_en-US.tar.xz.

This is an issue indeed. But Whonix isn’t the cause of this issue. The Whonix project controls whonix.org. But the Whonix project does not control torproject.org / Tor Project onion. What happens with Tor Project server is entirely up to The Tor Project.

Therefore as per Self Support First Policy for Whonix the appropriate point of contact is The Tor Project (TPO). Please check if this bug has already been reported to TPO and if not please submit a bug report and leave a link here since this is interesting for Whonix too.

vanguards is enabled by default in Whonix. See:

Also please 1 topic = 1 forum threat. Not productive to mix vanguards with download of Tor Browser over onion.

Inside Whonix you won’t even need torsocks. That is automatically the case. See package uwt and Stream Isolation

markolind · September 2, 2020, 8:21pm

I can’t find it with apt-cache, and it is not in:
https://packages.debian.org/bullseye/amd64/uwt
But will remember to look it up once I will be running Whonix.

Absolutely so. And no shadow is cast on Whonix because of that. I only complained about the fishy state of affairs there.

I see @torjunkie replied. I read your post where you link to Wikileaks for Amazon locations. Great! And sorry for digressing. I just often find good reads on Whonix web pages.

I really respect your work, guys.
Allow more time to such a slow adopter that I am!

markolind · September 2, 2020, 8:29pm

I’m sorry. But no, it’s what is suspicious, of course, not on Whonix, but on… Well I said it in the post.

Closing this talk on that one threat, not two threats really, because for non-server Tor as well, Vanguards makes the hops 4, 5 even 6 or 7.

And it is fixed, stinking fixed, fishily fixed on 3 hops only if no Vanguards, and nothing like Vanguards can be deployed on Tor connections to clearnet. So…

But now really no more on that, from me.

Thanks again.

Patrick · September 3, 2020, 9:14am

Alright.

Also on search engines under “uwt whonix”.

adw · September 14, 2020, 3:02am

Found this thread via search after I noticed that Tor Browser in my whonix-ws template was no longer getting updated via update-torbrowser with the message: http://rqef5a5mebgq46y5.onion could not be reached. Just to confirm, recommended workaround is simply to drop --onion, right?

Patrick · September 14, 2020, 9:24am

That’s the only available workaround that I know, yes.

Patrick · December 16, 2020, 8:09am

Now possible:

update-torbrowser --onion