I wanted to be able to send data to Tor onion endpoints within my code, mixed with regular IP or DNS addresses. This modification allows the Linux system resolver handle Onions as it would any other address.
Be careful with this if you're expecting anonymity though. The Tor browser does a lot of work trying to prevent identifying information from being sent to the other side. If you run an arbitrary protocol over Tor without any of that, it's much easier for the server to fingerprint the client.
Absolutely. I highlighted this as one of the warnings in the Howto I made. Any protocol you use must be vetted for security and privacy, if you intend to use Tor for those purposes.
My purpose is very different. I wanted to communicate with any machine I owned. Every machine has an Onion hidden service, and every machine can talk to Onions seamlessly.
What this allows is I can code against a [hash].onion, and know that the data goes where I want it. I can run Mosquitto (MQTT database) on one node, and other nodes can publish data to it. It matters not where they are, what networks they reside on, or if I get the "DynDNS, firewall holes, dynamic-static internal IP", and the rest of that junk set up right.
I also use Node-Red, and can use .onion addresses as valid services elsewhere. It allows me the ultimate network flexibility. I think of .onion addresses as being on a "Really Long Ethernet Hub" that only listens to the machine talked to.
EDIT:
> If you run an arbitrary protocol over Tor without any of that, it's much easier for the server to fingerprint the client.
I have been using privoxy as a system wide proxy with this rule `forward-socks4a .onion localhost:9050 .` to do this. I didn't know this was possible, great.
If debian generated an onion address like debiandebxwnjx6t.onion (just made that up), how would that help you determine that the .onion address is owned by debian?
All it proves is that someone ran a vanity key/address generator on his GPU for a couple of days to get a nice-looking prefix. I could do the same thing at home and get a different address with the same prefix, and you wouldn't be able to tell the difference without comparing the whole address.
You need a trust path to the Debian sysadmins. The best option right now is the HTTPS on onion.debian.org and the knowledge that Debian uses Lets Encrypt.
Sure, but variations are there so the reproducible builds are more robust and can be done natively. It doesn't mean that you can't reproduce these packages, just stick to the standard build paths, filesystems, etc...
25 comments
[ 3.3 ms ] story [ 78.6 ms ] threadI wrote this: https://trac.torproject.org/projects/tor/wiki/doc/LinuxDNSre...
I wanted to be able to send data to Tor onion endpoints within my code, mixed with regular IP or DNS addresses. This modification allows the Linux system resolver handle Onions as it would any other address.
My purpose is very different. I wanted to communicate with any machine I owned. Every machine has an Onion hidden service, and every machine can talk to Onions seamlessly.
What this allows is I can code against a [hash].onion, and know that the data goes where I want it. I can run Mosquitto (MQTT database) on one node, and other nodes can publish data to it. It matters not where they are, what networks they reside on, or if I get the "DynDNS, firewall holes, dynamic-static internal IP", and the rest of that junk set up right.
I also use Node-Red, and can use .onion addresses as valid services elsewhere. It allows me the ultimate network flexibility. I think of .onion addresses as being on a "Really Long Ethernet Hub" that only listens to the machine talked to.
EDIT:
> If you run an arbitrary protocol over Tor without any of that, it's much easier for the server to fingerprint the client.
Agreed. I control both endpoints.
OnionCat with virtual domain names would be better IMHO.
Domain squatting is even harder on tor, but how am I supposed to know the real Debian is on xyabdjfhkj1345 or xvhdjakeueg12567?
All it proves is that someone ran a vanity key/address generator on his GPU for a couple of days to get a nice-looking prefix. I could do the same thing at home and get a different address with the same prefix, and you wouldn't be able to tell the difference without comparing the whole address.
However, with several Debian volunteers they can get a more friendly-looking address. One person alone with a GPU can't compete with that
It's a proof of work (just like bitcoin)
Isn't >80% most of Debian?
https://tests.reproducible-builds.org/index_variations.html
Also, I see that user login shell is varied.
https://github.com/rbanffy/3270font
https://tests.reproducible-builds.org/debian/rb-pkg/unstable...
Why would debian not host their sites on I2P
* Tor heavily used to get some anonymity in big internet.
* Tor have bundle browser solution that anyone can use.
* I2P is Java and not everyone know there is C++ client.
* I2P also audited less have more undergoing changes.
While I2P can be used to do exactly same things as Tor it's just not goal of project.