Feature #11556
Use Onion Services for APT
100%
Description
Currently, /etc/apt/sources.list makes use of apt-transport-tor (tor+http://) to fetch the repo lists from the normal Debian mirrors via the Tor Exit node.
This could, however, be done through Tor entirely since there exist official mirrors that are Tor Onion Services, such as vwakviie2ienjx6t.onion.
https://wiki.debian.org/TorifyDebianServices
Pros:
- Traffic stays within Tor, avoidance of metadata
- End-to-End encryption to the Onion Service
- (debatable) Fingerprinting of Tails users (what diffs were missing? when was the last package list update?) at the Tor Exit might become more difficult
Cons:
- Adds load to the Onion mirror
- Packages signed with GnuPG anyways
- Might be slower than non-Onion Service access
Subtasks
Related issues
Related to Tails - |
Rejected | 2014-10-16 |
History
#1 Updated by intrigeri 2016-07-16 05:27:42
- related to
Feature #8143: Use apt-transport-https to protect against security issues in APT? added
#2 Updated by intrigeri 2016-07-16 05:29:37
- Assignee set to flapflap
- Type of work changed from Discuss to Research
See Feature #8143 for the kind of research needed.
#3 Updated by intrigeri 2016-07-16 07:04:25
- Subject changed from Use Onion Service Debian Mirror for APT to Research whether we should use Onion Services for APT
- Status changed from New to Confirmed
#4 Updated by intrigeri 2016-07-16 07:05:49
(Meta: I made it clear to flapflap before he opened this ticket that to be useful, it had to take into account previous security discussions about similar topics, so I’m assigning it to him so he can do that.)
#5 Updated by hans 2016-07-31 14:05:59
If the apt
traffic is forced over Tor using iptables rules, then you can use .onion addresses without having apt-transport-tor
installed. Then .onion address then enforces that all traffic goes over Tor. Now that weasel has added official Onion Services for both the main archive and the security archive, this is possible to setup.
https://onion.debian.org
#6 Updated by intrigeri 2017-01-08 10:02:15
- Subject changed from Research whether we should use Onion Services for APT to Use Onion Services for APT
- Assignee changed from flapflap to intrigeri
- Target version set to Tails 2.10
- Type of work changed from Research to Code
intrigeri wrote:
> (Meta: I made it clear to flapflap before he opened this ticket that to be useful, it had to take into account previous security discussions about similar topics, so I’m assigning it to him so he can do that.)
I did the “let’s see what is blocking this?” dance, and the next steps I had documented (Feature #8143#note-14) are off-topic on this ticket:
- we already use
apt-transport-tor
, so there’s no additional code introduced by switching to Onion APT mirrors; - there’s an obvious solution to the build-time / apt-cacher-ng issue:
Feature #8143#note-23
And if we ever want HTTPS on top of Onions, well: apt-transport-tor
supports that :)
So I’m going to deprecate Feature #8143 in favor of this ticket, and prioritize this topic higher since https://www.debian.org/security/2016/dsa-3733 has shown us that security in depth has some value here.
#7 Updated by intrigeri 2017-01-08 10:15:32
… except that we don’t provide any Onion service for http://deb.tails.boum.org/, and it’s enough to have one APT source that’s not authenticated end-to-end to weaken the whole thing. So either we need to fix that infrastructure problem first, and use the new Onion service; or we use HTTPS for that repo, but then the concerns about increasing the attack surface (discussed on Feature #8143 already) re-appear.
#8 Updated by intrigeri 2017-01-08 11:09:25
intrigeri wrote:
> … except that we don’t provide any Onion service for http://deb.tails.boum.org/, and it’s enough to have one APT source that’s not authenticated end-to-end to weaken the whole thing. So either we need to fix that infrastructure problem first, and use the new Onion service; […]
Done, deb.t.b.o now has its onion service: http://jenw7xbd6tf7vfhp.onion/
#9 Updated by intrigeri 2017-01-09 17:55:09
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
- Feature Branch set to feature/11556-apt-with-onions
#10 Updated by intrigeri 2017-01-11 12:08:05
- Assignee changed from intrigeri to anonym
- % Done changed from 10 to 50
- QA Check set to Ready for QA
#11 Updated by anonym 2017-01-12 12:49:58
- Status changed from In Progress to Fix committed
- Assignee deleted (
anonym) - % Done changed from 50 to 100
- QA Check changed from Ready for QA to Pass
Works great!
#12 Updated by anonym 2017-01-24 20:42:43
- Status changed from Fix committed to Resolved