Tor onion site for tox.chat

[tox-user]

Since Tox requires usage of Tor to not leak metadata, many Tox users have to use Tor. It could be useful to have tox.chat as an onion service. It would be to make sure that our website can never be censored (by governments or DDoS attacks) and to give additional protection to Tor users. It's easy to imagine an oppressive government censoring websites related to privacy. Especially ones that offer software for private communication. When connecting to an onion service, user's traffic never leaves the Tor network, which means there is no need for using exit nodes. That means we free up their bandwidth and get an additional layer of encryption. Because of this encryption such website doesn't need to (but can) use the flawed https, which should increase security for Tor users.

Some other software projects that use onion services:

• Debian - https://onion.debian.org
• Qubes OS, Whonix - https://www.qubes-os.org/news/2018/01/23/qubes-whonix-next-gen-tor-onion-services
• Tor :) - https://onion.torproject.org

A guide for creating onion services: https://www.torproject.org/docs/tor-onion-service.html and how they work: https://www.torproject.org/docs/onion-services

[nurupo]

Since Tox requires usage of Tor to not leak metadata, many Tox users have to use Tor.

Why do you use such a board word as "metadata"? It's just the IP that it prevents leaking. Also, Tox doesn't require the use of Tor, any HTTP or SOCKS proxy can hide your IP. In fact, Tor is a SOCKS proxy.

It could be useful to have tox.chat as an onion service. It would be to make sure that our website can never be censored (by governments or DDoS attacks) and to give additional protection to Tor users.

Our website is hosted on Digital Ocean in USA, of course it can be easily monitored, censored or taken down by governments. Also, hosting the onion website on the same VPS, which is what is going to happen due to lack of any other server infrastructure elsewhere, wouldn't help against a DDoS attack. If someone manages to DDoS the VPS, nothing hosted on it would work, so both the Internet facing website and the onion website would be down. So no, having tox.chat as an onion service wouldn't help against DDoS, and while it can help against government censorship, it won't due to the lack of server infrastructure.

such website doesn't need to (but can) use the flawed https

When did https become flawed all of the sudden?

What is the point of having tox.chat available on Tor if all downloads and other things that tox.chat links to are on the Internet, not on Tor? You can't do anything meaningful on the website without leaving Tor intranet. It wouldn't be much of an improvement than accessing it through a Tor exit node. Doesn't sound like it's worth the trouble to make it available on Tor.

[tox-user]

Why do you use such a board word as "metadata"? It's just the IP that it prevents leaking. Also, Tox doesn't require the use of Tor, any HTTP or SOCKS proxy can hide your IP. In fact, Tor is a SOCKS proxy.

Everyone in user's network, including their ISP can see who the user talks to, when and for how long. That is what I call metadata. User's TCP relay can see that too if they are using one. In addition as you said everyone who the user talks to can see who they are (by their IP address). Tor prevents all of that by making you anonymous. Your ISP and people on your network will not see who you talk to, just that you are connecting to Tor and your peers will only see that they are talking to someone using Tor. It is true that you can use any proxy, but it will not be as good. Tor encrypts your traffic with many layers of encryption and bounces it around the world, in a distributed network hosted by volunteers, so I think it does more than a regular proxy.

When did https become flawed all of the sudden?

The flaw is that it requires CAs that you are forced to trust to provide you authentication to the website and encryption. Tor doesn't rely on that and doesn't even rely on DNS.

What is the point of having tox.chat available on Tor if all downloads and other things that tox.chat links to are on the Internet, not on Tor?

External sites that tox.chat links to don't have to be on Tor. For example it links to twitter and facebook. Facebook has an onion site, but we can't expect twitter and other websites to create one too. I'm not sure about the downloads yet. It looks that other projects host their downloads on clearnet and their Tor website links to that.

[nurupo]

Everyone in user's network, including their ISP can see who the user talks to, when and for how long. That is what I call metadata.

Alright, so you consider it from ISP's side too, not just the Tox user you are talking with, which you leak only your IP to. Fair enough.

The flaw is that it requires CAs that you are forced to trust to provide you authentication to the website and encryption. Tor doesn't rely on that and doesn't even rely on DNS.

It's the fundamental flaw of the secure communication that you must trust someone. With TLS you have to trust CAs to correctly indicate if a public key indeed belongs to the website. With Tor you have to trust the source and the communication medium that you get the website's onion address from (if I understood it right, addresses are public keys in Tor). For example, if tox.chat's onion website link is provided on tox.chat, then you need to trust tox.chat website, it becomes your CA in a way, and you also need to trust your communication with tox.chat to be secure (which will be TLS). In the end it doesn't solve the problem of trust, you still have it, you just have to trust someone else now.

Btw, CAs don't provide encryption, they have no access to your private key, all they do is sign your public key along with the data about your website like the hostname.

Of course there can be rouge CAs or governments that pre-install their own CAs on computers to make your believe that public key foo belongs to website bar when that's not the case, but similar applies to Tor/Tox, there can be rouge sources of onioin addresses / tox ids that make you believe that foo belongs to onion website / tox user bar.

External sites that tox.chat links to don't have to be on Tor. For example it links to twitter and facebook. Facebook has an onion site, but we can't expect twitter and other websites to create one too. I'm not sure about the downloads yet. It looks that other projects host their downloads on clearnet and their Tor website links to that.

Right, I don't see much gain in hosting an onion website. Especially if we are going to host it on the same VPS that we host the Internet-facing version of the website. If the website is censored in your country or you want to view it anonymously, then just access it through Tor, just like you would if it was an onion service, except you would go though an exit node. If you want to download a client or access something else the website points to, you'd need to go through an exit node anyway, since those are hosted on different services like Jenkins, GitHub, personal websites of developers, etc., so what's the difference? Don't really see why it's worth having tox.chat as an onion website.

[tox-user]

It's the fundamental flaw of the secure communication that you must trust someone. With TLS you have to trust CAs to correctly indicate if a public key indeed belongs to the website. With Tor you have to trust the source and the communication medium that you get the website's onion address from (if I understood it right, addresses are public keys in Tor). For example, if tox.chat's onion website link is provided on tox.chat, then you need to trust tox.chat website, it becomes your CA in a way, and you also need to trust your communication with tox.chat to be secure (which will be TLS). In the end it doesn't solve the problem of trust, you still have it, you just have to trust someone else now.

With https I have to trust hundreds of CAs. In Tor I only have to trust that the website address is correct and it's my own responsibility to check that. We can put or link to a GPG signed message confirming our onion address. I know of at least one website that did that: https://gist.githubusercontent.com/mtigas/0d49b42fab6f9d2f7e69/raw/2-tor (from https://www.propublica.org/nerds/a-more-secure-and-anonymous-propublica-using-tor-hidden-services). We don't even have to put it on tox.chat. It can be somewhere on our blog instead.

Right, I don't see much gain in hosting an onion website. Especially if we are going to host it on the same VPS that we host the Internet-facing version of the website. If the website is censored in your country or you want to view it anonymously, then just access it through Tor, just like you would if it was an onion service, except you would go though an exit node.

One of the strong points of Tox is that it's decentralized. We should provide users with more ways to access our website if possible. What if the website becomes censored in the country it's hosted in? Or for some reason we lose the tox.chat domain? Of course it doesn't make sense to host an onion website on the same server as our clearnet website. I agree with you on that. It would probably be the best if we could host the downloads on our own website and on our onion website.

[nurupo]

What if the website becomes censored in the country it's hosted in?

They can access it though Tor.

Or for some reason we lose the tox.chat domain?

I don't think this argument has to do anything with Tor.

[tox-user]

I meant that if the server gets shut down or if we lose the domain people won't be able to access the website anymore. Having an onion service would also most likely help us reach more people. Tor users are already interested in privacy, so many of them must be interested in secure messaging apps.

[emdee-is]

It could be useful to have tox.chat as an onion service. It would be to make sure that our website can never be censored (by governments or DDoS attacks) and to give additional protection to Tor users.

Our website is hosted on Digital Ocean in USA, of course it can be easily monitored, censored or taken down by governments. Also, hosting the onion website on the same VPS, which is what is going to happen due to lack of any other server infrastructure elsewhere, wouldn't help against a DDoS attack. If someone manages to DDoS the VPS, nothing hosted on it would work, so both the Internet facing website and the onion website would be down. So no, having tox.chat as an onion service wouldn't help against DDoS, and while it can help against government censorship, it won't due to the lack of server infrastructure.

Yes and no. The censorship might only be directed at the standard incoming ports 80/443 and might not be applied to the outgoing ports Tor uses: Tor initiates connections to a number of ports when it starts up.

And having the onion access allows the users of it to connect without being tracked, which is an advantage in itself.

such website doesn't need to (but can) use the flawed https

Https is flawed because it's almost trivially crackable up to TLSv1.3, above and beyond the CAs problem.

What is the point of having tox.chat available on Tor if all downloads and other things that tox.chat links to are on the Internet, not on Tor? You can't do anything meaningful on the website without leaving Tor intranet. It wouldn't be much of an improvement than accessing it through a Tor exit node. Doesn't sound like it's worth the trouble to make it available on Tor.

It's worth the trouble to make it available on Tor for the people who need to not be seen using it, and we have had requests for it on #TokTok. Besides, as Tox supports Tor, it would be expected of tox.chat by anyone who knows Tor.

@nurupo if you really want to help, could you also run a hidden service BSnode at the same time, and put the onion address in the nodes.json entry; see https://github.com/TokTok/c-toxcore/issues/2331#issuecomment-1922794392 This would help us have a testbed to test "Tox in Tor".