If you decide to use python and pyopenssl the code to pin the self signed Tor certificate can be reused from this file in Micah’s Torbrowser Launcher.
Look under class VerifyTorProjectCert(ClientContextFactory) it tells pyopenssl what to do. The launcher is based on twisted client and other parts of it.
Each time Tor changes circuit, chances are good, that another Tor exit will be used. So for each time apt-get runs, chances are good, another Tor exit will be used.
(How often does Tor change circuits? -> Tor defaults as per original Tor Debian package.)
[quote=“mitm, post:22, topic:855”]Its up to you if you want to look at the idea in this ticket. Comment 14. I see other nice side effects. https://labs.riseup.net/code/issues/8143[/quote]
Onion would be worthwhile. apt-transport-https not so much.
If there are a few stable ones that won’t go down anytime soon, yes.
Please post them in this thread:
On a tangent, thepiratebay has a hidden service for time source.
Please post them in this thread:
https://www.whonix.org/forum/index.php/topic,943.0.html
the self signed Tor certificate can be reused from this file in Micah's Torbrowser Launcher.
That might not work that well, see:
https://www.whonix.org/wiki/Dev/SSL_Certificate_Pinning#Defaults_Discussion
Look under [b]class VerifyTorProjectCert(ClientContextFactory)[/b] it tells pyopenssl what to do. The launcher is based on twisted client and other parts of it.
This is a good idea, created a ticket for this:
https://phabricator.whonix.org/T146
Hans-Christoph is making a push for mirror hosts to run hidden sites. He is running a mirror on his home connection to encourage others. Thomas White also hosts a number of mirrors and is well connected with many hosting companies that run Tor exits. Between them we can find a solution for a stable and reliable hidden Debian mirror. I’m thinking of writing a proposal that you can show them to explain why we need this.
Hi. We would like to know if you can arrange for hosting a hidden Debian mirror for access by Tails and Whonix systems. There are a number of advantages Such as reducing metadata leakage from apt-get and protection against security issues in APT which can be exploited when its using http in the clear.
Apt-transport-https unfortunately doesn’t cut it. Plain SSL is trivial to fingerprint allowing a network observer to know what was downloaded and that the packages belong to the same system. Only very few of https mirrors have self signed certificates which we would prefer, and that option has many quirks. Apt doesn’t really work properly with https and complains randomly. Apt-cacher-ng doesn’t work with the https transport too.
Running a hidden service mirror will be a measurable security and anonymity improvement over the current status quo. Please see what can be done and let us know.
In terms of bandwidth needs, Tails has an estimated 10,000 users while Whonix has 5,000.
Purely from that perspective:
Not sure that is a good argument, because hidden services cause more load to the Tor network. Traffic going through 6 instead of 3 relays. Open question if saving the exit bandwidth is worth.
Onion apt mirrors in general:
onion apt mirrors sounds good for experimenting. Would be good to have them available.
As default:
I worry that would work. Because, see:
As far I know there is no way to load balance hidden services as it can be done with DNS round robin.
It would require multiple stable onion mirrors and randomly (default) or otherwise picking one. Similar to whonix_repsitory tool (Whonix ™ APT Repository).
It doesn’t need to be tied to Whonix or Tails but its more likely that both systems can readily take advantage of them because they are behind Tor. A regular Debian user has to manually point apt to use Tor and these mirror addresses.