Use Tor The Architect Way

ghostware.jpg

Most people think of Tor as a dark place.
Black markets. Shady services. Anonymity.
Tor's advantage became a disadvantage too.

They don't understand that it's not just a tool for anonymity.
It's for better privacy - for the user, and for the server.

Architects use the system as a protection - ethically.

  • Reduce tracking.
  • Resist fingerprinting.
  • Enhance privacy.

The Onion Network Architecture

Tor's architecture limits metadata leaks.
The network introduces some lag as a tradeoff.
Onion services are accessible via .onion addresses.
These addresses appear random because they are derived from cryptographic keys. 

{[Client] -> [Tor daemon]} -> [The Onion Network] <- {[Tor daemon] <- [Server]}

Install The Tor Daemon

  • On Debian you can install tor with apt. 
sudo apt install tor

The configuration file is placed in /etc/tor.

  • On FreeBSD the pkg tool can install tor. 
pkg install tor

The configuration lives in /usr/local/etc/tor.

Configure A Hidden Service

Edit the torrc file in the config directory with your preferred editor.

Example configuration on Debian: 

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80  127.0.0.1:80
HiddenServicePort 443 127.0.0.1:443

Example configuration on FreeBSD: 

HiddenServiceDir /var/db/tor/hidden_service/
HiddenServicePort 80  127.0.0.1:80
HiddenServicePort 443 127.0.0.1:443

Restart the tor service.
Debian: sudo systemctl restart tor
FreeBSD: service tor restart

The most important generated files are:

  1. hostname - it contains your unique .onion address
  2. hs_ed25519_public_key - service public key
  3. hs_ed25519_secret_key - service private key (keep it secret, it's the site's identity)

You can host multiple services on Tor on one .onion address. 

HiddenServiceDir /var/db/tor/hidden_service/  #  hidden service dir
HiddenServicePort 80   127.0.0.1:80           #  http
HiddenServicePort 5222 127.0.0.1:5222         #  xmpp
HiddenServicePort 6667 127.0.0.1:6667         #  irc

The Danger Zone - Exit Nodes

Exit nodes are used when you leave The Onion Network and enter the surface web from it.
These exit nodes are operated by volunteers and organizations.
Tor selects exit nodes automatically based on network consensus and relay capacity.

The danger is not the exit node itself.
The danger is the metadata around it.

A hostile operator can observe destinations.
A hostile observer can collect timing information.
A powerful adversary may attempt traffic correlation.

Tor makes this difficult.
It does not make it impossible.

Tor-only services (.onion) eliminate the need for exit nodes.

Hidden Services

Most of the infrastructure services can be hosted as a Tor hidden service.

  • Websites
  • Databases
  • Most email services
  • Instant Messaging
  • SSH

Tor introduces some lag because of the routing.
Most text-based services won't notice it.

Tor protects the server's IP, reduces the likelihood to find its location.
It protects the client's IP and mitigates metadata leakage.

The Onion Network's encryption makes it harder to investigate the data.
Time-based and other correlations still reveal important information.

Final Whisper

Tor doesn't provide invisibility.
It helps to protect the client and server IP location.

Tor doesn't protect against:

  • correlation attacks
  • malicious clients
  • malicious links

With proper, ethical usage The Onion Network is another layer of security in the Architect toolset.

If you have questions or comments, join our Silent Architect IRC network: 

Server : irc.silentarchitect.org
Port   : 6697
TLS    : mandatory
SASL   : supported

[ Fear the Silence. Fear the Switch. ]