v3 (prop 224) .onion for Whonix website

https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions

Apparently v2 and v3 of onion services can be set up side by side easily (?) enough. Would be nice to see this on the Whonix server in the coming months.

v3 benefits:

• Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)
• Improved directory protocol, leaking much less information to directory servers.
• Improved directory protocol, with smaller surface for targeted attacks.
• Better onion address security against impersonation.
• More extensible introduction/rendezvous protocol.
• A cleaner and more modular codebase.

(And who doesn’t want to manually enter a 56 character long onion address by hand into the url bar? )

Tor trac tickets seem to suggest this could improve occasional issues where .onions are unreachable.

Of course this requires Tor v 0.3.2.1-alpha or later to work (both server and Tor Browser client).

With relevant Tor binaries likely to be available this month for budding testers (3.2.9), it would be nice to actually connect to the Whonix .onion in this configuration. See:

https://blog.torproject.org/tor-0329-released-we-have-new-stable-series

Rise up and some others already support this e.g. here is Rise Up’s v3 .onion ->

http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion

Is there anything preventing fortasse from setting this up once relevant binaries are made available via the Tor Project?

Tor client v3.2.9 tested and works in Qubes-Whonix. Actually quite well.

So, all it needs is the server side done, and announcing the new, optional, v3 .onion address everywhere. @fortasse

Security yada yada

Oh hey, props to the Tor devs for making that crazy easy:

dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion

All your favorite subdomains should work (download, forums, phabricator). Let me know if it’s acting up, but it seems like it’s all good to go!

Thank you so much fortasse for your amazing work! All tested and working nicely.

@Patrick - suggested blog post below.

Whonix has a New v3 Onion Address

Greetings to the Whonix Community!

Thanks to the efforts of the Whonix server administrator (fortasse), the Whonix website now has a new v3 onion address!

This configuration runs alongside the familiar v2 onion address (kkkkkkkkkk63ava6.onion), so all Whonix users can continue to access website resources (like documentation and forums) while staying within the Tor network. [ref] This provides considerable security and privacy benefits compared to accessing the standard https://whonix.org web address. [/ref]

Whonix users that have installed the latest Tor 3.2.9 client in Whonix-Gateway (sys-whonix) [ref] https://www.whonix.org/wiki/Security_Guide#Tor_Versioning [/ref] [ref]The minimum Tor version required is tor-0.3.2.1-alpha.[/ref], can now use the following address:

http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion

All the usual subdomains have been tested to work, including download, forums, wiki and phabricator.

v3 onions provide a number of security benefits, and are reported to make some onion addresses more accessible: [ref]https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions [/ref]

• Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)
• Improved directory protocol, leaking much less information to directory servers.
• Improved directory protocol, with smaller surface for targeted attacks.
• Better onion address security against impersonation.
• More extensible introduction/rendezvous protocol.
• A cleaner and more modular codebase.

While browsing, users can recognise next generation services by their length - they are always 56 characters long, instead of the “usual” 16 characters found with v2 onion services.

Interested readers who want to learn more about v3 (prop 224) onions, or wish to setup their own prop224 service should review the following resources:

• https://blog.torproject.org/tor-0329-released-we-have-new-stable-series
• https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions

A sample of other v3 onion websites currently available include: [ref] https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions [/ref]

• www.riseup.net: ​http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion
• searx.riseup.net: ​http://ozmh2zkwx5cjuzopui64csb5ertcooi5vya6c2gm4e3vcvf2c2qvjiyd.onion
• IRC test hub: gff4ixq3takworeuhkubzz4xh2ulytoct4xrpazkiykhupalqlo53ryd.onion:6697
• Federalist papers: ​http://7fa6xlti5joarlmkuhjaifa47ukgcwz6tfndgax45ocyn4rixm632jid.onion/
• Some address found: ​http://j2eiu2izwjpazjevu4xs3muaif3jzex3nnvnu677vz2fypmzccvhhiid.onion
• Gitea: ​http://lgekyjf5vosmbfvcxzg3g5mmcncmwy4d3nhjrdqqiqzl5nmhqlfemaid.onion/
• patternsinthevoid.net (isis’ blog): ​http://ffqggapqevcmylx6vtk5357i7bfjwbb6qchds3hlohangshxrwvdduyd.onion
• OnionShare ​http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion/

As always, a big thank you to The Tor Project for their hard work on this latest stable release!

I am so excited to see a v3 onion service for Whonix coming up so soon!

Thank you so much for your awesome work, @fortasse !

And also you, @torjunkie , thank you so much for writing the perfectly worded blog post and for being so responsive and proactive!

I am not sure if you have the same feeling, from my personal experience, accessing v3 onion services is still relatively slow comparing to accessing v2 onion services. Very likely because by now the percentage of Tor relays running 0.3.2 and above is still slow: https://metrics.torproject.org/versions.html?start=2017-10-22&end=2018-01-20

We may see a change on this very soon after 0.3.2 becomes to stable.

TODO for myself:

1. Update related wiki: https://www.whonix.org/wiki/Forcing_.onion_on_Whonix.org
2. Update Whonix Welcome Page in Tor Browser. (This is a serious change which will only be made after we consider v3 onion services are mature enough. )

This of course begs the question about possible network fingerprinting.

How many people now use v3 onions (a handful), and until they are ubiquitous, it might be an issue when connecting and somehow make the user very unique(?). Not sure.

Also, maybe there might be some suggestion to not run connections to the same server using v2 and v3 onion addresses on separate tabs in Tor Browser. Since it works when I just tested that.

Again, don’t know if it matters for anonymity, but like most things when carefully examined, it probably does.

And I agree with iry, the v3 version is a fair bit slower - probably related to lower Tor versions running on the network right now.

Great! Could you post this please?

Qubes mirror (also done by @fortasse):

http://sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/

They yet have to be informed about it?

Whonix 14 will be using the v3 onion.

I don’t think Qubes people are aware of the v3 onion. Might be worth shouting out to @adw on mailing lists.

The draft blog post is done and saved in the usual (blog admin) area.

Please review and post if you’re happy with it. As always, not sure about how to reference/footnote properly.

Apparently there is a footnote plugin for Wordpress, don’t know if @fortasse wants to actually install that so we can solve that problem for the longer term…

Great news! Thank you! Since you’ve prepared such a clear and thorough announcement containing all the details, we would love to link directly to it from the Qubes announcement, if it’s okay with you.

Sure.

Thanks, all! Here’s the Qubes announcement:

No, thank you.

We’ve liberally used your words here and there in the Wiki re: security-related matters, verifying keys, Qubes-Whonix security tips, hypervisor vs physically isolated set-up etc. With attribution of course.

I think that PhD (computer engineering?) has given you very sharp writing skills.

Cheers

You’re too kind! Thank you. I’m glad some of those words could be of use. (My Ph.D. is in philosophy, so there was a bit of writing involved. )

About 8 hours ago, I wasn’t able to connect to any of the public v3 onion addresses, I wonder why. v2 onions and clearnet were fine. My configuration hasn’t changed. Now v3 onions are all working again.

Yes, I’ve seen the same i.e. rarely only v2 Whonix onion works, and not the v3. No idea why either.

But overall, it seems quite stable and accessible.

From wiki:

To access the v3 onion address, Whonix users must install the latest Tor 3.2.9 client in Whonix-Gateway ( sys-whonix ) via the stable-proposed-updates repository.

Is this in stable now? If so, then we should fix that and update release notes to say:

Uploaded Tor v3.2.9 to the stable Whonix repository to enable full v3 onion functionality for both hosting of onion services and access to v3 onion addresses in Tor Browser.

torjunkie:

From wiki:

To access the v3 onion address, Whonix users must install the latest Tor 3.2.9 client in Whonix-Gateway ( sys-whonix ) via the stable-proposed-updates repository.

Is this in stable now? If so, then we should fix that and update release notes to say:

Uploaded Tor v3.2.9 to the stable Whonix repository to enable full v3 onion functionality for both hosting of onion services and access to v3 onion addresses in Tor Browser.

Yes.

Done