TOR hidden service

[joeuelk]

Would be nice to have keybase.io available as a TOR hidden service at some point.

Duck Duck Go does this: http://search.slashdot.org/story/10/09/25/0242244/DuckDuckGo-Search-Engine-Erects-Tor-Hidden-Service

[zQueal]

Keybase is a tool designed to verify your identity, and Tor is a tool designed to completely mask your identity. I really don't understand what you hope to accomplish from this?

[joeuelk]

I thought I read something about them wanting to setup up a mail relay in the future. If that's true someone who has an SMTP server behind a TOR hidden service might want to have mail relayed from keybase to that address.

Besides that, what's the harm in just keeping all traffic inside the TOR network for clients coming in from a TOR client?

[zQueal]

Well no, there's no harm. It just seemed counter productive to me. However, I didn't really think about the mail relay, which would actually be a pretty great idea. Sending and receiving PGP encrypted mail via Tor would basically be ideal for any security enthusiast.

[WillMorrison]

I seem to recall something about default Tor exit node policies blocking mail-related ports to cut down on spam. If this is true, then any such mail relay would have to have Tor-Tor and clearnet-clearnet versions to get around these, as the exit policies would mess with Tor-clearnet traffic.

@Xanza Some users may wish to remain pseudonymous, in that their identity is strongly established, but not linkable to a meatspace identity. For example, if I wanted to write and distribute some controversial software with signed releases, but wanted to make it hard for people to physically find me, I could create new github/social/PGP identities, and link them together with Keybase, all while using Tor. This isn't really a reason to set up a hidden service, but just an illustration of how they can co-exist. The hidden service here would serve to keep the traffic inside the Tor network as @joeuelk mentioned, thus better avoiding the problem of compromised exit nodes, which is a whole other can of worms.

[bgpugh]

@WillMorrison And don't forget that running as a hidden service might have some (albeit minor) performance wins by not needing to route through a (possibly highly traffic'd) exit node and/or by running as an exit enclave (though that may be less useful as time goes on)

[maxtaco]

We're now publishing keybase.io as a hidden service at fncuwbiisyh6ak3i.onion

Let me know if anything is weird.

[zQueal]

It could be me, however, I'm testing it out on Tor, and it seems like I'm unable to do anything other than view the website. Login doesn't work.

EDIT: Verify works just fine.

Still can't login through.

[maxtaco]

Good point. For me, Scrypt took forever but eventually worked.

The issue, I believe, is that cookies are being set for .keybase.io and the domain is foobar.onion

I'll see if I can figure something out.

[maxtaco]

It was a cookie problem; cookies weren't being set for the Tor hidden service for two reasons: Set-Cookie header was specifying .keybase.io; and second, it was specifying Secure. Should work now, let me know if not. Thanks!

[zQueal]

Working great now! Seems a tiny bit faster, too.

[markcoker]

error: Host 'fncuwbiisyh6ak3i.onion:null' refused connection; maybe the server is down

[maxtaco]

Seems to work for me. Are you sure you're running the tor service locally? we require that.

[berrythesoftwarecodeprogrammar]

works completely fine for me

[jonathancross]

I am happy the Tor hidden service is up! Most users will be accessing this hidden service via the Tor Browser. The Tor Browser comes with NoScript extension turned on by default to prevent leaking private information via JavaScript. Unfortunately most of the website seems to break without JavaScript.

I would like to help adapt the website to work without JS (eg: Progressive Enhancement design strategy for example), do you plan to Open Source the website code?

Note: Progressive Enhancement has added benefits in terms of accessibility and could even allow alternative clients like lynx, etc. (even if some functionality must be sacrificed, it would be great to have the basics working).

[chungy]

Might I make a suggestion that the Tor hidden service have a TLS certificate? While Tor already nullifies the purposes of encryption, it might be difficult to verify the identity of the hidden service and that you are, in fact, talking to the real Keybase and not a phishing version. It wouldn't be infeasible for an attacker to generate a vanity address where the first 5-6 characters match the real hidden service, and it could be difficult to notice such a swap on the URL bar.

Facebook, as an example, already does this for their hidden service, for the same reason: https://www.facebookcorewwwi.onion/

[kode54]

@jonathancross Maybe you may or may not realize this, but the reason for all the Javascript is so that the encryption and decryption of messages, and the decryption of your private keys, all happens on the client side. If you want a script-less client side, then the server has to have access to both your passkey and your private key in the clear, at least while it is using them.

E: I just noticed this issue was last posted in two years ago. Apologies for the bump, I found it from a Google search.

[jonathancross]

@kode54 Yes, I'm aware that some functions such as encryption in the browser cannot be done in a secure manner without JavaScript. But the vast majority of the site is read-only info and all of that would work flawlessly without JavaScript (if built correctly). I've built and maintained hundreds of websites for Google that work this way.

Personally, I don't even use the encryption and verification capabilities in the browser as these things work much better from desktop software (and are more secure there). Instead I'm looking up people's keys, usernames, photos, checking social media handles, seeing proof posted, checking who follows who, etc.

[Mikaela]

Is the Tor service down currently?

└┌(%:~)┌- keybase id mikaela

▶ INFO Error checking feature "ftl": API network error: Get http://keybase5wmilwokqirssclfnsqrjdsi7jdir5wy7y7iu3tanwmtp6oid.onion/_/api/1.0/user/features.json?features=ftl: Can't complete SOCKS5 connection. [tags:chat-trace=xaiKwwOi1fKU]                                                                              
▶ ERROR API network error: doRetry failed, attempts: 3, timeout 5.324s, last err: Get http://keybase5wmilwokqirssclfnsqrjdsi7jdir5wy7y7iu3tanwmtp6oid.onion/_/api/1.0/merkle/path.json?c=1&last=5545093&load_deleted=1&load_reset_chain=1&poll=10&sig_hints_low=11&uid=f6592c0e050967553c04b4e5f475da00: Can't complete SOCKS5 connection. (code 1601)

Tor: Jun 11 13:55:50 sedric Tor-client[5931]: Closed X streams for service [scrubbed].onion for reason resolve failed. Fetch status: No more HSDir available to query.

[heronhaye]

Seems like it, could you try again now?