Apparently v2 and v3 of onion services can be set up side by side easily (?) enough. Would be nice to see this on the Whonix server in the coming months.
v3 benefits:
Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)
Improved directory protocol, leaking much less information to directory servers.
Improved directory protocol, with smaller surface for targeted attacks.
Better onion address security against impersonation.
More extensible introduction/rendezvous protocol.
A cleaner and more modular codebase.
(And who doesn’t want to manually enter a 56 character long onion address by hand into the url bar? )
Tor trac tickets seem to suggest this could improve occasional issues where .onions are unreachable.
Of course this requires Tor v 0.3.2.1-alpha or later to work (both server and Tor Browser client).
With relevant Tor binaries likely to be available this month for budding testers (3.2.9), it would be nice to actually connect to the Whonix .onion in this configuration. See:
Thanks to the efforts of the Whonix server administrator (fortasse), the Whonix website now has a new v3 onion address!
This configuration runs alongside the familiar v2 onion address (kkkkkkkkkk63ava6.onion), so all Whonix users can continue to access website resources (like documentation and forums) while staying within the Tor network. [ref] This provides considerable security and privacy benefits compared to accessing the standard https://whonix.org web address. [/ref]
Whonix users that have installed the latest Tor 3.2.9 client in Whonix-Gateway (sys-whonix) [ref] Security Guide - Whonix [/ref] [ref]The minimum Tor version required is tor-0.3.2.1-alpha.[/ref], can now use the following address:
Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)
Improved directory protocol, leaking much less information to directory servers.
Improved directory protocol, with smaller surface for targeted attacks.
Better onion address security against impersonation.
More extensible introduction/rendezvous protocol.
A cleaner and more modular codebase.
While browsing, users can recognise next generation services by their length - they are always 56 characters long, instead of the “usual” 16 characters found with v2 onion services.
Interested readers who want to learn more about v3 (prop 224) onions, or wish to setup their own prop224 service should review the following resources:
I am so excited to see a v3 onion service for Whonix coming up so soon!
Thank you so much for your awesome work, @fortasse !
And also you, @torjunkie , thank you so much for writing the perfectly worded blog post and for being so responsive and proactive!
I am not sure if you have the same feeling, from my personal experience, accessing v3 onion services is still relatively slow comparing to accessing v2 onion services. Very likely because by now the percentage of Tor relays running 0.3.2 and above is still slow: Servers – Tor Metrics
We may see a change on this very soon after 0.3.2 becomes to stable.
This of course begs the question about possible network fingerprinting.
How many people now use v3 onions (a handful), and until they are ubiquitous, it might be an issue when connecting and somehow make the user very unique(?). Not sure.
Also, maybe there might be some suggestion to not run connections to the same server using v2 and v3 onion addresses on separate tabs in Tor Browser. Since it works when I just tested that.
Again, don’t know if it matters for anonymity, but like most things when carefully examined, it probably does.
And I agree with iry, the v3 version is a fair bit slower - probably related to lower Tor versions running on the network right now.
I don’t think Qubes people are aware of the v3 onion. Might be worth shouting out to @adw on mailing lists.
The draft blog post is done and saved in the usual (blog admin) area.
Please review and post if you’re happy with it. As always, not sure about how to reference/footnote properly.
Apparently there is a footnote plugin for Wordpress, don’t know if @fortasse wants to actually install that so we can solve that problem for the longer term…
Great news! Thank you! Since you’ve prepared such a clear and thorough announcement containing all the details, we would love to link directly to it from the Qubes announcement, if it’s okay with you.
We’ve liberally used your words here and there in the Wiki re: security-related matters, verifying keys, Qubes-Whonix security tips, hypervisor vs physically isolated set-up etc. With attribution of course.
I think that PhD (computer engineering?) has given you very sharp writing skills.
About 8 hours ago, I wasn’t able to connect to any of the public v3 onion addresses, I wonder why. v2 onions and clearnet were fine. My configuration hasn’t changed. Now v3 onions are all working again.
To access the v3 onion address, Whonix users must install the latest Tor 3.2.9 client in Whonix-Gateway ( sys-whonix ) via the stable-proposed-updates repository.
Is this in stable now? If so, then we should fix that and update release notes to say:
Uploaded Tor v3.2.9 to the stable Whonix repository to enable full v3 onion functionality for both hosting of onion services and access to v3 onion addresses in Tor Browser.
To access the v3 onion address, Whonix users must install the latest Tor 3.2.9 client in Whonix-Gateway ( sys-whonix ) via the stable-proposed-updates repository.
Is this in stable now? If so, then we should fix that and update release notes to say:
Uploaded Tor v3.2.9 to the stable Whonix repository to enable full v3 onion functionality for both hosting of onion services and access to v3 onion addresses in Tor Browser.
)
