Torify Debian Services
This page is about providing Onion Services for some of the Debian Services
Why is it useful?
When using Debian (or a derivative e.g. Tails) the user might be using some Debian Services and leak information to their ISP, the ISPs and organizations hosting the Debian servers and possibly others, for example:
APT accessing repositories leaks information on installed packages, security updates, see this
- Popcon, bts, wnpp-check leak informations about packages and more
In some instances simply leaking the fact that a laptop is running Debian is enough to make the user identifiable.
An NTP client resolving debian.pool.ntp.org can be enough.
A solution
Web-based service can accessed through Tor already. Also, the user is (usually) aware of accessing a website.
Other services that are accessed automatically and/or without the user being fully aware of it should be provided over Onion Services.
Switching access from "traditional" to onion service should be simple (dpkg-reconfigure?)
Security implications
Pros:
- Less data leaks in general
- Onion Services act as certificates to prevent MITM
Cons:
- Increased traffic over Tor. Only APT traffic to the mirrors could be a concern.
- Using Tor instead of "regular" traffic can look even more suspicious: Users should be warned about this - Tor should not be installed and used automatically.
The services are listed in Services
Problems
- Providing a trusted list of Debian Onion Services names and methods to keep it updated.
- Services that cannot be torified e.g. NTP. Tricky use-cases where only the DNS resolution should be torified.
- Some services get a lot of traffic, this can be mitigated with onionbalance.
Services to be torified
- Popcon
- reportbug.debian.org
- Archives
- snapshot.debian.org
How to help
- List services to be torified
- Torify the clients
- Provide tools for DSA to handle the Onion Service keypairs
- Write scripts to create Onion Service keys
- Write tools to create/distribute/update/revoke the list of Debian Onion Service
Current status
All official Debian onion services run by the Debian sysadmins are listed on onion.debian.org (announcement)
- Unofficial services:
unofficial debian-security mirror (dju2peblv7upfz3q.onion) run by Hans-Christoph Steiner (Debian Developer)
Popcon Tor support: 773663