tildeverse
/
rfcs
4
6
Fork 6
Code Issues 5 Pull Requests 1 Releases Wiki Activity

Compare commits

merge into: tildeverse:master
Branches Tags
tildeverse:master
tildeverse:draft-commchannelyt
ubergeek:master
ubergeek:draft-commchannelyt
...
pull from: ubergeek:master
Branches Tags
ubergeek:master
ubergeek:draft-commchannelyt
tildeverse:master
tildeverse:draft-commchannelyt

3 Commits
master ... master

Author SHA1 Message Date
ubergeek cafb51827c Update 'rfc-tilde-tor-support.md' 2019-08-02 22:22:48 -04:00
ubergeek eb85924977 Update 'rfc-tilde-tor-support.md' 2019-08-02 22:21:46 -04:00
ubergeek 75569d8b4b Add 'rfc-tilde-tor-support.md' 2019-08-02 21:33:32 -04:00
1 changed files with 75 additions and 0 deletions
Show Stats Expand all files Collapse all files

75
rfc-tilde-tor-support.md Normal file
View File

@ -0,0 +1,75 @@
+++
title : Tilde Tor support
number: TBD
author: Ubergeek <ubergeek@thunix.net>, southerntofu <>
status: proposed
+++
# Abstract
Tor is a collection of privacy tools to provide anonymity and autonomy on the Internet. It brings a coherent approach to encrypted connections and decentralized naming, which are crucial steps in the struggle for privacy. The Tor project is run by a non-profit organization and is used by millions of people around the world to defeat censorship and mass surveillance.
As privacy is a very important concern within the tildeverse, it is proposed that servers of the tildeverse should do their best to support Tor: at least gopher and http services should be available via an onion service. This would enable those in oppressive regions some interaction with the tildeverse services, and further the goals of a more diverse community.
# Tor History
Tor is a privacy-enabling router, which attempts to anonymize bi-directional connects on the Internet. It provides a cryptographic naming (`.onion` addresses) and encrypted/authenticated routes to/from those addresses, as well as exit nodes to access services that do not have an onion. All these connections are in either case tunneled through a series of relays.
This protocol was developed by the NSA, in order to secure communications amongst field agents. It was then expanded to include journalists in hostile areas, as well as civilians in those same areas.
# Procedural
## Security Considerations
Users connecting via tor are, by default, anonymized. Ther activity logging is minimal, as many will appear to connect from _localhost_.
Care and consideration should be taken in deciding which services are exposed via TOR, vs the risk to the particular community. For example, some tildes may be able to expose any and all services they operate via TOR (SSH, Email, www, etc), while another tildeverse member maybe only be able to safely expose gopher. Individual admins should decide this.
## Operational Considerations
There are minimal operating considerations, aside from the load borne to manage the proxy, and encrypted connections. A new tilde may not have the resources to do this, by a larger tilde, like Thunix, has plenty of idle processor power to do so.
Care must be taken for the hidden services identity file. This cannot be managed in a public space, as doing so would be the equivalent of giving away private keys for a SSL cert.
A custom onion name may be generated using scallion or eschalot (Two individual tools used for generating custom names), in order to create a more memorable service name. If possible, a new tilde should consider requesting special access to do so, from a larger tilde, or pubnix. It can be quite CPU intensive.
## Minimal Standard
At a minimum, HTTP and gopher should be exposed via TOR, to allow many of the tildeverse services to be used via TOR. Optimally, SSH would be exposed as well, in order to allow participation in the most minimal of levels consider to be an active member of the tildeverse community.
Additionally, the individual tildeverse member should advertise their onion name on their website, to allow for discovery.
### Installation of Tor
Tor installs easily on Debian, via apt.
```
sudo apt install tor
```
This installs both the tor daemon, and torsocks. It configures Tor as a simple entry node, without relaying. Out of the box, it is safe to use to access the Tor network, and to use it as a proxy on the tildeverse machine.
You can also install Tor via the Tor provided Debian repos: [Add Tor to a Debian install](https://wiki.debian.org/DebianExperimental#To_configure_APT)
### Configuration of Tor
Tor configuration consist of editing /etc/tor/torrc (Or pertinent file for the specific distro).
The only options to change are the hidden service config options. The minimal added options should be:
```
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80
HiddenServicePort 70 127.0.0.1:70
```
OTHER BITS TO FIT IN SOMEWHERE
technical detail : an onion domain can have subdomains
so for a single-server tilde a single onion is enough and easier to bookmark and move around (from pad.sjdkqsjdklqsjdklqsjdqsklfjqklfhqshl.onion just replace pad with git. and you're done)
single onion services = removing server anonymity so we can have more bandwidth and better latency; good for public servers (like tildes!)
onionv3 : based on ed25519 keys so if you want pretty names you gotta go check on that (not use shallot and whatnot)
DO NOT USE ONIONv2 THIS IS TERRIBLE
when configuring an onion services tor only routes to the precise port, no direct access to other ports on the machine through tor. but since client requests are coming from localhost (from the tor daemon on the server) be careful not to expose some services to localhost or they may become available through tor (probably not what you intended)