cobalt as a Tor .onion service

[jbmagination]

I think it'd be really nice if cobalt was available as a .onion service for Tor users. I probably don't have to explain to you who Tor is used by, but you do also mention cobalt is used by journalists and that it respects your privacy. I can see having a .onion service being helpful in serving both these interests.

regular Tor does circumvent censorship, but the exit relay could still snoop on traffic if they really wanted to. .onion services anonymize both sides of communication (client/server) so there's no metadata communicated between them - it's entirely end-to-end.

as someone who's pretty paranoid about privacy, censorship, and cares a lot about internet archival and preservation, I personally would use it over the regular cobalt.tools. I'm probably the only person who accesses it over Tor lmfao, but if I'm not then go figure I guess

however, I also know that this is not exactly all sunshine and rainbows to setup lmfao - so I wanted to bring up some other things to consider:

• existing websites do have .onion services!
  • Twitter offers a Tor .onion service, but current management has let the three certificates expire. I've downloaded and reuploaded them here, but if you don't trust me you can go through the Tor Browser and visit the links yourself.
  • Reddit offers a Tor .onion service
  • Facebook support was mentioned in #54 - they offer a Tor .onion service too
• your .onion service link can actually be called cobalt. v2 .onion services are deprecated, but mkp224o still lets you make these addresses for the latest v3.
• you don't need HTTPS for .onion sites (you can probably put together why), but generally people do still see HTTPS as necessary and HTTP as scary - because it is! ...except in Tor. there is some guidance on it, but don't worry about it too much - if you want it then go for it but it's absolutely not necessary.

I know you're sponsored by Royale Hosting, so if you do want to do this chat with them first! feel free to check out Tor's website and this list.

[ghost]

I think that wouldn't work because, as far as I know, cobalt saves a hashed version of your IP address temporarily (20 seconds) to identify you, then send you the requested video.

(Source: it was mentioned on the website a little while ago, until it was rewritten to a simpler sentence. I'm not sure if wukko has changed the system to be more privacy friendly.)

[jbmagination]

oh yeah I didn't even think about that tbh. I think that wouldn't be much of an issue though as like 99% of traffic won't be through Tor anyway, and any hashed IP that comes through would just be a Tor exit node. and while that would be anyone who collectively exits through that node, there's like more than 1,000 so that's almost guaranteed to not affect anyone

[wukko]

cobalt saves a hashed version of your IP address temporarily (20 seconds) to identify you, then send you the requested video

this was removed from privacy policy because cobalt no longer keeps any personal information about you that isn’t necessary to perform the download (aka download links and its metadata)

[wukko]

any hashed IP that comes through would just be a Tor exit node. and while that would be anyone who collectively exits through that node, there's like more than 1,000 so that's almost guaranteed to not affect anyone

the sha256 hash was impossible to recreate because it was salted with a rotating key, so it could not possibly affect anyone even if it was to somehow ever leak.

[jbmagination]

the sha256 hash was impossible to recreate because it was salted with a rotating key, so it could not possibly affect anyone even if it was to somehow ever leak.

didn't know it was rotating; I thought that was being collected for rate limiting purposes

[wukko]

slight update: rate limiting is still done with hashed ip, but it isn't effective as salt rotates, i will either fix or remove it in a future update.

[jbmagination]

oh wait no it won't close the issue i may be a slight dumbass