search

freedomofpress / securedrop

GitHub repository for the SecureDrop whistleblower platform. Do not submit tips here!
https://securedrop.org/
Other
3.62k stars 687 forks source link

Support Single Onion Services #2041

Open psivesely opened 7 years ago

psivesely commented 7 years ago

Feature request

Description

Single Onion Services (SOSs) are a new tor feature as of 0.2.9.8. Reduced to the most relevant distinctions, SOSs provide the unique authenticity properties of onion services, while sacrificing service anonymity for performance (3 relays between client and server instead of 7 with a traditional onion service). Since as it is, the SecureDrop system does not attempt to provide service anonymity (nor is this a priority), switching to SOSs even as a default option seems sensible.

Let's first review the reasons we do use onion services for SD:

  1. Forces sources to use tor to access SD instances (now that all major browsers refuse DNS lookups on .onion domains this works well).
  2. May provide better authenticity than HTTPS (esp. if you cross-check the onion URL on both the landing page and SD directory, or you got the URL from print media/ out-of-band). Doesn't rely on CAs being honest or impervious to compromise.
  3. Allows us to keep all incoming ports blocked in our firewall rules.
  4. Supports authentication via a shared cookie.
  5. Traverses NAT.

Now, considering we won't lose any of these properties by switching to SOSs, and we have much to gain in terms of performance (both latency and bandwidth), it seems like an easy sell. That said, consideration should be taken in terms of deployment. In order to minimize the number of times an instance's URL changes, it seems best to wait until next-generation onion services are stable and make the switch to both at the same time.

User Stories

Namaste Shawty wants to leak some sick beats to a SD instance, but doesn't have patience to wait for hours for the 100MB upload to complete. She makes sure to pick an instance that has upgraded to SOSs, and consequently waits a much shorter time for the upload to finish.

Michael Turko wants to provide a way for San Diegans to leak photos of how runoff from a city water system pipe is damaging their yard and other mundane problems, but knows that the longer people must wait for an upload, and the more hops it travels through, the greater chance there is for failure. Turko waits for SD to implement SOS support before setting up his instance, and when he goes through the install process a SOS is setup by default and it just works™.

garrettr commented 7 years ago

Another potentially compelling user story would be to use SOS for the SSH ATHS. SSH over THS is very unpleasant due to the high latency. I am not sure if SOS support ATHS, so I'm testing that now.

psivesely commented 5 years ago

I talked to a FB employee the other week who runs their onion service and he told me that the single onion service loads much faster even than visiting the facebook.com over Tor. This is because the bottleneck in the Tor network is the exit nodes and the guards/ middle nodes have plenty of extra bandwidth to spare. So while connecting to facebook.com and their single onion service both require 4 hops, the latter doesn't involve an exit node and thus provides a much better and faster user experience.