I have communicated with the developer of invidio.us (which is another front end of YouTube) about having Onion Hidden Services entry/mirror to his website. And he was very straight forward smart guy he done all the research by himself (i just asked him if he can do it) and here is the good news:
Onion V2 Mirror:
http://kgg2m7yk5aybusll.onion/
Onion V3 Mirror:
http://axqzx4s6s54s32yentfqojs3x5i7faxza6xo3ehd4bzzsg2ii4fv2iid.onion
Special Thanks to Omar Roth for making this happen.
I agree with what the tor-talk list had to say about this service. In particular these responses:
Basically this site act as a MITM and can do a bunch of malicious things from that position.
Why not just use youtube-dl? I haven’t watched a video on YT’s site in years.
MitM but between you and Google/YB , but lets see:
Youtube uses closed source malicious javascript (very likely) , invidious uses open source javascript and the source code already available.
you cant install youtube front page and use it on your server , you can do that with invidious
Youtube is a closed source horrible evil (Thx to google), invidious is free software.
Youtube uses closed source ssl certificate , Invidious use open source ssl which is let encrypt.
Youtube you cant have except ssl/tls security , Invidious support onion v2 and v3 domain.
You cant watch videos in youtube without allowing youtube/google JS, You can do that with invidious.
…etc if there is any i missed.
So if you tell me to choose between watching videos on youtube or invidious then i will choose invidious for sure and hope ppl help the developer because he deserve it.
Regarding youtube-dl , you can use it with onion invdious. But for me i wouldnt use it because it add loads on the nodes and TorProject prohibited torrenting for rational reason which is to prevent the downloading load over the Tor.
youtube-dl i would use it with I2P (if support it) , but this is not a relevant case here.
How does using invidious with the same videos is a lower load on Tor than youtube-dl?
Because you stream the video while its still on google server, not downloading it. and thats also i would add another issue which is the security of stuff being downloaded VS stuff being watched on the browser.
Tor Project always warn us of the downloading stuff like pdf,docx…etc and pre-advise to not open while you are connected to the internet. But i dont see any warnings from streaming or browsing website while everything set to maximum or reasonable security.
What’s the difference? it’s not an ftp download. It’s not a direct download from google’s servers. you mean you request it at a slower rate? perhaps, but a fair comparison between the different options is with identical amount of traffic / number of videos. So perhaps you request each video in a slower rate when streaming them on Tor browser (and I’m not even sure this is right), but then you have longer periods of not requesting anything when using youtube-dl. Overall the effect is the same.
Torrenting is a very different animal. There, once you have the file it’s constantly available for others in the network. You don’t just d/l it once and done with it. It creates an unlimited amount of future traffic.
Streaming the video from Google means being connected to Google over a lengthy period of time. This certainly adds further privacy considerations. Anyone using any kind of google services with clearnet on your network? Google may be able to correlate your onion traffic with the clearnet one and get your IP.
Of course, the same trick may also be possible with youtube-dl, but the shorter length of connection in my opinion is much preferable.
Thats why its better to do it from invidious not youtube so that you avoid to be in touch with google directly.
See in general i dont oppose youtube-dl and its a great tool. but that doesnt make invidious less important plus you can still use youtube-dl on invidious so you can gain the security/privacy benefits from it.
Regarding youtube-dl , you can use it with onion invdious. But for me i wouldnt use it because it add loads on the nodes and TorProject prohibited torrenting for rational reason which is to prevent the downloading load over the Tor.
Invalid. Not even Tor Project asks for that.
Frequently Asked Questions - Whonix FAQ
Tor Project always warn us of the downloading stuff like pdf,docx…etc
and pre-advise to not open while you are connected to the internet.
A real video - which is difficult to figure out what file type they
really downloaded - since most users don’t understand file extensions
and Windows stupidly hides file extensions by default - would be
preferable to viewing in browser.
Thats why its better to do it from invidious not youtube so that you
avoid to be in touch with google directly.
I doubt he’s proxying all the traffic? It’s just a frontend. Meaning,
backends, i.e. videos are still coming from youtube.
MitM but between you and Google/YB , but lets see:
- Youtube uses closed source malicious javascript (very likely) ,
invidious uses open source javascript and the source code already
available.
Good in theory but in practice irrelevant since no one reads the
javascript before execution or at least checks the javascript is
unmodiifed since last visit or at least checks the signature of the
javascript. So if the server gets hacked and javascript replaced no one
will notice easily.
- Youtube uses closed source ssl certificate , Invidious use open
source ssl which is let encrypt.
There’s no such thing as Open Source SSL certificate. Private keys must
conceptually stay private.
- Youtube you cant have except ssl/tls security , Invidious support
onion v2 and v3 domain.
Well, and Invidious then fetches the video over TLS before that. So the
chain is still only as secure as TLS. No end-to-end onion encryption.
- You cant watch videos in youtube without allowing youtube/google JS,
You can do that with invidious.
That’s cool.
I get the idea from what they already mentioned about torrent: (here)
Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else.
didnt ask him , maybe not possible to achieve.
meant Lets Encrypt VS others certificates.
Didnt check , but maybe not possible due to design limitations.
I don’t see how that helps either. Browsers still accept any certificate. So unless someone takes (fingerprintable!) steps to restrict which website may issue which certificate, I don’t see how this improves anything. Even private keys at any TLS CA can be created using Libre Software afaik.
They explicitly write torrent. They’re native English speakers. So they’re hopefully using very accurate language. When they write torrent they hopefully don’t mean “bulk data transfer”. If they’d worry about (YouTube) videos, they’d probably have a separate entry since torrent is very specific and very different from users who just watch videos and never heard of torrent (many).
Click on any video, then on the video page, right click and select “View Page Source”.
Under the DIV “player-container” you will find a “video” element, with links to clearnet subdomains of googlevideo.com
Check that domain, it redirects to Google-videot
So yes it seems the video is actually loaded from a direct clearnet link to google.
Further, the page loads javascript from googlevideo.com
i asked in tor mailing list, lets see what they will say.