Should we use HiddenServiceSingleHopMode 1
for whonix.org server?
Reason:
- whonix.org server IP is public known since whonix.org is a clearnet domain, so there is no IP for our onion to be hidden
- we are going to change apt sources to onions only by default - https://phabricator.whonix.org/T72
Advantages:
- make apt-get whonix.org onion updates faster
- make apt-get whonix.org onion updates more reliable
Disadvantages:
- According to below except from Tor manual, this can never be undone. So if we later want to keep the onion domain and to hide the IP for anti-DDOS reasons it woudnât work and weâd have to generate a new onion.
- Less used than regular hidden services, so there might be exclusive bugs.
- Anything else?
source: https://www.torproject.org/docs/tor-manual.html.en
HiddenServiceSingleHopMode 0|1
Experimental - Non Anonymous Hidden Services on a tor instance in HiddenServiceSingleHopMode make one-hop (direct) circuits between the onion service server, and the introduction and rendezvous points. (Onion service descriptors are still posted using 3-hop paths, to avoid onion service directories blocking the service.) This option makes every hidden service instance hosted by a tor instance a Single Onion Service. One-hop circuits make Single Onion servers easily locatable, but clients remain location-anonymous. However, the fact that a client is accessing a Single Onion rather than a Hidden Service may be statistically distinguishable.
WARNING: Once a hidden service directory has been used by a tor instance in HiddenServiceSingleHopMode, it can NEVER be used again for a hidden service. It is best practice to create a new hidden service directory, key, and address for each new Single Onion Service and Hidden Service. It is not possible to run Single Onion Services and Hidden Services from the same tor instance: they should be run on different servers with different IP addresses.
HiddenServiceSingleHopMode requires HiddenServiceNonAnonymousMode to be set to 1. Since a Single Onion service is non-anonymous, you can not configure a SOCKSPort on a tor instance that is running in HiddenServiceSingleHopMode. Can not be changed while tor is running. (Default: 0)
HiddenServiceNonAnonymousMode 0|1
Makes hidden services non-anonymous on this tor instance. Allows the non-anonymous HiddenServiceSingleHopMode. Enables direct connections in the server-side hidden service protocol. If you are using this option, you need to disable all client-side services on your Tor instance, including setting SOCKSPort to â0â. Can not be changed while tor is running. (Default: 0)