Feature #11556

Use Onion Services for APT

Added by flapflap 2016-07-03 15:47:55 . Updated 2017-01-24 20:42:43 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Tails 2.10
Start date:
2016-07-03
Due date:
% Done:

100%

Feature Branch:
feature/11556-apt-with-onions
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

Currently, /etc/apt/sources.list makes use of apt-transport-tor (tor+http://) to fetch the repo lists from the normal Debian mirrors via the Tor Exit node.
This could, however, be done through Tor entirely since there exist official mirrors that are Tor Onion Services, such as vwakviie2ienjx6t.onion.

https://wiki.debian.org/TorifyDebianServices

Pros:

  • Traffic stays within Tor, avoidance of metadata
  • End-to-End encryption to the Onion Service
  • (debatable) Fingerprinting of Tails users (what diffs were missing? when was the last package list update?) at the Tor Exit might become more difficult

Cons:

  • Adds load to the Onion mirror
  • Packages signed with GnuPG anyways
  • Might be slower than non-Onion Service access

Subtasks

Related issues

Related to Tails - Feature #8143: Use apt-transport-https to protect against security issues in APT? Rejected 2014-10-16

History

#1 Updated by intrigeri 2016-07-16 05:27:42

  • related to Feature #8143: Use apt-transport-https to protect against security issues in APT? added

#2 Updated by intrigeri 2016-07-16 05:29:37

  • Assignee set to flapflap
  • Type of work changed from Discuss to Research

See Feature #8143 for the kind of research needed.

#3 Updated by intrigeri 2016-07-16 07:04:25

  • Subject changed from Use Onion Service Debian Mirror for APT to Research whether we should use Onion Services for APT
  • Status changed from New to Confirmed

#4 Updated by intrigeri 2016-07-16 07:05:49

(Meta: I made it clear to flapflap before he opened this ticket that to be useful, it had to take into account previous security discussions about similar topics, so I’m assigning it to him so he can do that.)

#5 Updated by hans 2016-07-31 14:05:59

If the apt traffic is forced over Tor using iptables rules, then you can use .onion addresses without having apt-transport-tor installed. Then .onion address then enforces that all traffic goes over Tor. Now that weasel has added official Onion Services for both the main archive and the security archive, this is possible to setup.
https://onion.debian.org

#6 Updated by intrigeri 2017-01-08 10:02:15

  • Subject changed from Research whether we should use Onion Services for APT to Use Onion Services for APT
  • Assignee changed from flapflap to intrigeri
  • Target version set to Tails 2.10
  • Type of work changed from Research to Code

intrigeri wrote:
> (Meta: I made it clear to flapflap before he opened this ticket that to be useful, it had to take into account previous security discussions about similar topics, so I’m assigning it to him so he can do that.)

I did the “let’s see what is blocking this?” dance, and the next steps I had documented (Feature #8143#note-14) are off-topic on this ticket:

  • we already use apt-transport-tor, so there’s no additional code introduced by switching to Onion APT mirrors;
  • there’s an obvious solution to the build-time / apt-cacher-ng issue: Feature #8143#note-23

And if we ever want HTTPS on top of Onions, well: apt-transport-tor supports that :)

So I’m going to deprecate Feature #8143 in favor of this ticket, and prioritize this topic higher since https://www.debian.org/security/2016/dsa-3733 has shown us that security in depth has some value here.

#7 Updated by intrigeri 2017-01-08 10:15:32

… except that we don’t provide any Onion service for http://deb.tails.boum.org/, and it’s enough to have one APT source that’s not authenticated end-to-end to weaken the whole thing. So either we need to fix that infrastructure problem first, and use the new Onion service; or we use HTTPS for that repo, but then the concerns about increasing the attack surface (discussed on Feature #8143 already) re-appear.

#8 Updated by intrigeri 2017-01-08 11:09:25

intrigeri wrote:
> … except that we don’t provide any Onion service for http://deb.tails.boum.org/, and it’s enough to have one APT source that’s not authenticated end-to-end to weaken the whole thing. So either we need to fix that infrastructure problem first, and use the new Onion service; […]

Done, deb.t.b.o now has its onion service: http://jenw7xbd6tf7vfhp.onion/

#9 Updated by intrigeri 2017-01-09 17:55:09

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to feature/11556-apt-with-onions

#10 Updated by intrigeri 2017-01-11 12:08:05

  • Assignee changed from intrigeri to anonym
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

#11 Updated by anonym 2017-01-12 12:49:58

  • Status changed from In Progress to Fix committed
  • Assignee deleted (anonym)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

Works great!

#12 Updated by anonym 2017-01-24 20:42:43

  • Status changed from Fix committed to Resolved