Tickets

If you decide to use python and pyopenssl the code to pin the self signed Tor certificate can be reused from this file in Micah’s Torbrowser Launcher.

Look under class VerifyTorProjectCert(ClientContextFactory) it tells pyopenssl what to do. The launcher is based on twisted client and other parts of it.

Its up to you if you want to look at the idea in this ticket. Comment 14. I see other nice side effects.
https://labs.riseup.net/code/issues/8143

Whonix’s default mirror could be a hidden service giving the best protection for updates.

Debian hidden mirror or mirrors can be used for secure time sync.

On a tangent, thepiratebay has a hidden service for time source.

The hidden mirror operators are the guardian project.
https://lists.mayfirst.org/pipermail/guardian-dev/2014-July/003647.html

At the moment, Tails runs a macine’s updates through different circuits and exits to make finger printing harder. Does whonix do the same?

The hidden mirror operators are the guardian project. https://lists.mayfirst.org/pipermail/guardian-dev/2014-July/003647.html

Good for experimenting, but not an option for now, because quote.

It is hosted on my home connection, so be gentle.

See also,
[Whonix-devel] Acquire::socks::proxy does not exist?:
https://www.whonix.org/pipermail/whonix-devel/2015-February/000299.html

At the moment, Tails runs a macine's updates through different circuits and exits to make finger printing harder. Does whonix do the same?
You mean https://www.whonix.org/wiki/Stream_Isolation ?

Yes stream isolation. Does a single exit see all the updates of a machine or is it split across many?

I hope Debian decides to run a hidden mirror in the future. Its a common sense step these days.

Each time Tor changes circuit, chances are good, that another Tor exit will be used. So for each time apt-get runs, chances are good, another Tor exit will be used.

(How often does Tor change circuits? → Tor defaults as per original Tor Debian package.)

Nothing good happens unless you do it.

[quote=“mitm, post:22, topic:855”]Its up to you if you want to look at the idea in this ticket. Comment 14. I see other nice side effects.
https://labs.riseup.net/code/issues/8143[/quote]
Onion would be worthwhile. apt-transport-https not so much.

If there are a few stable ones that won’t go down anytime soon, yes.

Please post them in this thread:

On a tangent, thepiratebay has a hidden service for time source.
Please post them in this thread: https://www.whonix.org/forum/index.php/topic,943.0.html
the self signed Tor certificate can be reused from this file in Micah's Torbrowser Launcher.
That might not work that well, see: https://www.whonix.org/wiki/Dev/SSL_Certificate_Pinning#Defaults_Discussion
Look under [b]class VerifyTorProjectCert(ClientContextFactory)[/b] it tells pyopenssl what to do. The launcher is based on twisted client and other parts of it.
This is a good idea, created a ticket for this: https://phabricator.whonix.org/T146

Can you also do the code?

Good suggestions. Thanks. Keep it coming.

Hans-Christoph is making a push for mirror hosts to run hidden sites. He is running a mirror on his home connection to encourage others. Thomas White also hosts a number of mirrors and is well connected with many hosting companies that run Tor exits. Between them we can find a solution for a stable and reliable hidden Debian mirror. I’m thinking of writing a proposal that you can show them to explain why we need this.

Hi. We would like to know if you can arrange for hosting a hidden Debian mirror for access by Tails and Whonix systems. There are a number of advantages Such as reducing metadata leakage from apt-get and protection against security issues in APT which can be exploited when its using http in the clear.

Apt-transport-https unfortunately doesn’t cut it. Plain SSL is trivial to fingerprint allowing a network observer to know what was downloaded and that the packages belong to the same system. Only very few of https mirrors have self signed certificates which we would prefer, and that option has many quirks. Apt doesn’t really work properly with https and complains randomly. Apt-cacher-ng doesn’t work with the https transport too.

Running a hidden service mirror will be a measurable security and anonymity improvement over the current status quo. Please see what can be done and let us know.

In terms of bandwidth needs, Tails has an estimated 10,000 users while Whonix has 5,000.

Less exit bandwidth taken by updates is a good side effect I forgot to mention in the proposal

What do you think of pushing Whonix News notifications only through hidden mirrors? Making it more resilient to takedowns.

Can you publish a mirror lost on your download page as well please?

What do you think of pushing Whonix News notifications only through hidden mirrors? Making it more resilient to takedowns.
It's TODO: https://phabricator.whonix.org/T114 https://www.whonix.org/wiki/Dev/Permanent_Takedown_Attack_Defender
Can you publish a mirror lost on your download page as well please?
A mirror list?

Best there is at the moment:

dig mirror.whonix.de ANY +noall +answer

https://www.whonix.org/wiki/Dev/Mirrors

I don’t think I can keep or it’s worth keeping that current. All adds up to maintenance effort that cannot be spend on coding.

Also TODO,
SSL/TLS Mirrors:
https://phabricator.whonix.org/T145

Purely from that perspective:
Not sure that is a good argument, because hidden services cause more load to the Tor network. Traffic going through 6 instead of 3 relays. Open question if saving the exit bandwidth is worth.

Onion apt mirrors in general:
onion apt mirrors sounds good for experimenting. Would be good to have them available.

As default:
I worry that would work. Because, see:

As far I know there is no way to load balance hidden services as it can be done with DNS round robin.

It would require multiple stable onion mirrors and randomly (default) or otherwise picking one. Similar to whonix_repsitory tool (Whonix APT Repository).

Why does it need to be tied to Whonix and Tails?

It doesn’t need to be tied to Whonix or Tails but its more likely that both systems can readily take advantage of them because they are behind Tor. A regular Debian user has to manually point apt to use Tor and these mirror addresses.

As default may not be good until hidden mirrors catch on. Always preferring them over bright net mirrors as long as they are reachable.

[quote=“Patrick, post:24, topic:855”][quote]
The hidden mirror operators are the guardian project.
https://lists.mayfirst.org/pipermail/guardian-dev/2014-July/003647.html[/quote]

Good for experimenting, but not an option for now, because quote.

It is hosted on my home connection, so be gentle.

See also,
[Whonix-devel] Acquire::socks::proxy does not exist?:
https://www.whonix.org/pipermail/whonix-devel/2015-February/000299.html[/quote]
Answer:
https://www.whonix.org/pipermail/whonix-devel/2015-February/000300.html

The draft:

  • Perhaps good to reference the tails ticket by intrigeri?
  • “arrange for hosting a hidden Debian mirror for access by Tails and Whonix systems” also could lead to someone mistake speaking in their name.