i just have discovered that Qubes has already their onion repo and its working , better to use it than the HTTP one.
Edit by Patrick:
Related…
0brand
October 17, 2018, 2:13am
2
Hi @nurmagoz
Comments to use Qubes onion repositories was Patricks idea. The commits where recently pushed to Qubes stable.
https://github.com/QubesOS/qubes-issues/issues/2623
And instructions added to the wiki.
http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Onionizing_Repositories
However, Whonix/Tor is not used by all Qubes users. Maybe a small subset of users and any patches would have to be approve by Qubes devs. Unfortunately I don’t think that is likely to happen.
1 Like
just enabling it by default , its enough from our side.
We could enable the Qubes onion by default in Qubes-Whonix only. Not too
But not exclusively onion sources by default. That is another ticket:
use onion sources list exclusively for apt-get updating by defaulthttps://phabricator.whonix.org/T812
0brand
October 18, 2018, 1:40am
6
Hi zerop
zerop:
Sorry I don’t know how to PM, but when you have time; could you check out my Qubes-whonix issue?
The Whonix forum does not have PM enabled.
Also please don’t cross post asking Whonix developers for help. If someone has an answer to your question they will let you know. Please be patient.
1 Like
another reason to keep active only onion and/or https repos:
opened 08:04PM - 21 Oct 18 UTC
closed 10:08AM - 17 Feb 20 UTC
T: enhancement
C: Debian/Ubuntu
### Qubes OS version:
<!-- (e.g., `R3.2`)
You can get it from the dom0 te… rminal with the command
`cat /etc/qubes-release`
Type below this line. -->
Qubes 4
### Affected component(s):
Repositories with HTTP
---
### Steps to reproduce the behavior:
<!-- Use single backticks (`) for in-line code snippets and
triple backticks (```) for code blocks.
Type below this line. -->
Welcome to middle east
### Expected behavior:
To update/upgrade without interference from the ISP.
### Actual horror behavior:
I have discovered that Etisalat (ISP of UAE, so as it has branch in Egypt) names popped up in the middle of the `apt upgrade` inside debian.
```
user@user:~$ sudo apt update && sudo apt dist-upgrade && sudo apt autoremove --purge
Hit:1 https://deb.i2p2.de stretch InRelease
Ign:2 https://cdn-aws.deb.debian.org/debian stretch InRelease
Hit:3 https://cdn-aws.deb.debian.org/debian stretch-backports InRelease
Hit:4 https://cdn-aws.deb.debian.org/debian stretch Release
Get:6 https://onlineservices.etisalat.ae/scp/open/osdpages/billPayment.jsp?internetusername=etisalat&ref=http://security.debian.org stretch/updates InRelease [6,505 B]
Err:6 https://onlineservices.etisalat.ae/scp/open/osdpages/billPayment.jsp?internetusername=etisalat&ref=http://security.debian.org stretch/updates InRelease
Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
Get:7 https://onlineservices.etisalat.ae/scp/open/osdpages/billPayment.jsp?internetusername=etisalat&ref=http://deb.qubes-os.org/r4.0/vm stretch InRelease [6,505 B]
Err:7 https://onlineservices.etisalat.ae/scp/open/osdpages/billPayment.jsp?internetusername=etisalat&ref=http://deb.qubes-os.org/r4.0/vm stretch InRelease
Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
Fetched 13.0 kB in 10s (1,198 B/s)
Reading package lists... Done
E: Failed to fetch http://security.debian.org/dists/stretch/updates/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
E: Failed to fetch http://deb.qubes-os.org/r4.0/vm/dists/stretch/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
E: Some index files failed to download. They have been ignored, or old ones used instead.
```
as we see , all HTTPS requests went through except Qubes and debian security repo which has an issue with their ssl or port configuration (thats why im using the default debian http repo):
```
user@user:~$ sudo apt update
Err:1 https://security.debian.org stretch/updates InRelease
Failed to connect to security.debian.org port 443: Connection refused
W: Failed to fetch https://security.debian.org/dists/stretch/updates/InRelease Failed to connect to security.debian.org port 443: Connection refused
W: Some index files failed to download. They have been ignored, or old ones used instead.
user@user:~$
```
The way that etisalat done the attack:
there is a payment page which is pushed from etisalat effecting only the HTTP request:
the HTTP URL used to manipulate firefox connection:
`https://onlineservices.etisalat.ae/scp/open/osdpages/billPayment.jsp?internetusername=etisalat&ref=http://detectportal.firefox.com/success.txt`
The page will show something like this if you will request any HTTP website through firefox:
Luckily i have used ooni-probe to detect if there is an network tampering for http manipulation and yep there was:
```
0.17s Runtime
Location: ZZ (AS0)
Evidence of possible network tampering
When contacting our control servers we noticed that network traffic was manipulated. This means that there could be a “middle box” which could be responsible for censorship and/or traffic manipulation.
Technical measurement data
* ▶
annotations:{} 4 keys
* engine_name:"libmeasurement_kit"
* engine_version:"0.8.3"
* engine_version_full:"v0.8.3"
* platform:"ios"
* data_format_version:"0.2.0"
* id:"04cdfb30-8f78-4ac4-8bb1-77ee33dbdd1b"
* input:null
* input_hashes:[] 0 items
*
* measurement_start_time:"2018-10-21 00:00:00"
* options:[] 0 items
*
* probe_asn:"AS0"
* probe_cc:"ZZ"
* probe_city:null
* probe_ip:"127.0.0.1"
* report_id:"20181021T080301Z_AS0_Zc73b7lwkHuJwB2x1FOcp6Pf9HLXzPDX34IcrQ1lbD2NyajFNx"
* software_name:"ooniprobe-ios"
* software_version:"1.3.2"
* ▶
test_helpers:{} 1 key
* backend:"http://37.218.247.95:80"
* ▶
test_keys:{} 6 keys
* agent:"agent"
* client_resolver:"31.171.251.118"
* failure:null
* ▶
requests:[] 1 item
* ▶
0:{} 3 keys
* failure:null
* ▶
request:{} 5 keys
*
* ▶
response:{} 4 keys
*
* socksproxy:null
* ▶
tampering:{} 4 keys
* header_field_name:null
* header_name_diff:null
* request_line_capitalization:true
* total:true
* test_name:"http_header_field_manipulation"
* test_runtime:0.171327114105225
* test_start_time:"2018-10-21 00:00:00"
* test_version:"0.0.1"
```
### What we learn from this:
We need to use only HTTPS or Onion (or any better if there is alternative) for all the repos inside Qubes OS, from Qubes repos to fedora to debian to ...etc.
(Whonix http repo included)
1 Like
for debian security https we can use:deb https://deb.debian.org/debian-security stretch/updates mainhttps://github.com/QubesOS/qubes-issues/issues/2604#issuecomment-330423579though its possible to make deb.qubes repo going through https:deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm stretch main
Edit: we can allow onion qubes repo inside Whonix, but Qubes itself might use only https. (which is still better than the http)
@Patrick shall i ticket this to phabricator or no need?
TNT BOM BOM:
for debian security https we can use:
deb https://deb.debian.org/debian-security stretch/updates main
Made a note here:
https://phabricator.whonix.org/T721
1 Like