Noting the default configuration does not turn your server into a relay or exit node, in case anyone interprets this that way.
Thanks for offering a .onion, bookmarked for the caddy configuration.
https://tpo.pages.torproject.net/core/arti/
https://gitlab.torproject.org/tpo/core/arti/-/blob/main/CHAN...
Hosting onion services is apparently still a work-in-progress, though, and turned off by default.
Not disagreeing or agreeing, but "best practice" is probably one of the concepts together with "clean code", that has as many definitions as there are programmers.
Most of the time, it depends, on context, on what else is going on in life, where the priorities lie and so on. Don't think anyone can claim for others what is or isn't "best practice" because we simply don't have enough context to know what they're basing their decisions on nor what they plan for the future.
Tor is already encrypted, that’s why you don’t need TLS. Some services (Like the hidden service from Facebook back in the days) have https but that was more of a vanity from what I remember.
It has a functional difference as well, lots of new client-side features (like webcrypto) only work on "Secure Origins" which .onion isn't, but websites behind TLS are. So if you wanna deploy say something that encrypts/decrypts something client-side on .onion, you unfortunately need TLS today otherwise the APIs aren't available.
Of course browsers could fix this, but I don't think they have any incentives to do so. I guess Tor Browser could in fact fix this, and maybe they already do, but it'd be a patch on top of Firefox I think, something they probably want to do less off, not more.
One could argue, given the limited bandwidth of the Tor network, that by using it when you don't need it, you make the experience for those that do need it worse (looking at you everyone who tries to torrent over tor).
edit: oh, is the last relay the onion service? So the entire chain is encrypted?
https://proton.me/blog/tor-encrypted-email
In the above blog post, they seem to imply that they made HTTPS mandatory for Proton Mail over Tor for security reasons.
tl;dr: Pressure from browsers, enterprise, and the overall ecosystem to use HTTPS (e.g., unavailability of advanced web features without HTTPS) is pushing for the use of HTTPS without exception, even for .onion sites with no significant technical advantage.
I don't know if onion links are discoverable/crawlable, so I can't claim if this is more secure than just listening on port 22 on the open internet.
torsocks is a very useful tool for easily running programs like ssh through tor with no advance setup.
https://www.forbes.com/sites/jeffkauflin/2022/09/20/profanit...
This tool uses proper crypto/rand initialisation of the starting key https://github.com/AlexanderYastrebov/onion-vanity-address/b...
Check out my other vanity generators (they all use crypto/rand):
https://github.com/AlexanderYastrebov/wireguard-vanity-key
https://github.com/AlexanderYastrebov/age-vanity-keygen
https://github.com/AlexanderYastrebov/ethereum-vanity-addres...
That jazz is increasingly played by the same band of 185.220.0.0/16 exit nodes, and plays it in a scale which is all but Anonymian.
It's also not such a big deal, provided they aren't messing with your exit traffic which you did encrypt, right? There are few exit nodes, but a great many non-exit nodes which still help anonymize your traffic. If you think it's a problem though, run an exit node.
Maybe I'm wrong, but it would look more benign to have exit nodes distributed without this much bias towards that particular subnet.
[0] https://metrics.torproject.org/rs.html#search/185.220.100 [1] https://metrics.torproject.org/rs.html#search/185.220.101
Source: I'm its director and founder of torservers.net. Usually using a different nick here.
.onion is not a way to own your domain. Even though you may have the private key and no one else does, the true owners of your domain remain the tor project themselves, as they can make it inaccessible to tor clients any time they want. They have before, they will again. And they aren't going to listen to any community feedback about it. Tor .onion is only for people that don't care about longevity or links working. Only for people who have 'security' as their number 1 and only concern.
I wasted a decade building my personal sites and casual communities on .onion. I won't be fooled again. A dot com or org is just as much mine as a .onion is, unfortunately, and at least those don't all disappear every 10 years.
Just saying, this is an important distinction to me and I've been hosting tor nodes since the 2000s.
Archiving information, and making it available, is sometimes more powerful than anonymous proxying.
Especially if there's an anonymous proxy available to that archive. ;)
You are correct that this solution does not prevent problems if the server goes down. This particular approach aims to reach a larger audience, while your idea of mirroring enables resiliency.
Both approaches have their use cases and can even be combined too!
TIL that Onion-Location is a header, only new about the <meta> element.
<meta http-equiv="onion-location" content="http://<your-onion-service-address>.onion" />Having to deal with law enforcement is unlikely even if you run a normal, encrypted, TOR relay.
Exit nodes, on the other hand, will most likely get letters or even visits by law enforcement. But those are not involved at all when just running an onion service.
Or do, and call your bank's customer support until they fix it.
Or wait until the next day when it's your neighbour's problem because your IP changes every day and your bank gets a bunch of complaints from different customers who are your neighbours.
I know they can, and sometimes do, but do people really experience this daily/weekly?
On DSL networks it's been the opposite, if the PPPoE session was lost I was definitely going to get a new IP address, and on some providers the session would be reset every 1-7 days so the IP would change at exactly the same time of day which almost always ended up being in the middle of a work day corresponding with whenever the equipment was last rebooted due to some other problem. I got in the habit of setting up my equipment to restart on its own terms in the middle of the night on those providers, but this came with its own downsides when something would go wrong and it'd fail to negotiate.
Yeah, or, hear me out... Someone used the exit node for active attacks. (Gasp! What? On my onion?)
Surely I can't be the only one to think of this right?
Here's one article that alludes to it re: CIA informants in Iran, but I seem to remember China killing US spies and it just not making the news at all
"an analysis by two independent cybersecurity specialists found that the now-defunct covert online communication system that Hosseini used – located by Reuters in an internet archive – may have exposed at least 20 other Iranian spies and potentially hundreds of other informants operating in other countries around the world.
This messaging platform, which operated until 2013, was hidden within rudimentary news and hobby websites where spies could go to connect with the CIA. Reuters confirmed its existence with four former U.S. officials."
https://www.reuters.com/investigates/special-report/usa-spie...
>https://blog.torproject.org/introducing-webtunnel-evading-ce...
>WebTunnel is a censorship-resistant pluggable transport designed to mimic encrypted web traffic (HTTPS) inspired by HTTPT. It works by wrapping the payload connection into a WebSocket-like HTTPS connection, appearing to network observers as an ordinary HTTPS (WebSocket) connection. So, for an onlooker without the knowledge of the hidden path, it just looks like a regular HTTP connection to a webpage server giving the impression that the user is simply browsing the web.
Personally, I doubt the US TLAs have a need to operate any relays themselves. They can simply wiretap, and use control flow data for correlation when necessary. Tor can still be useful for all those who do not try to hide from the few agencies who may have this kind of visibility.
The relay community is pretty good in terms of interacting with each other. There are real-world meetings to get to know others in the space, which may make you also more comfortable seeing their personal reasons for providing bandwidth.
Did I understand correctly? You can create a site with a .onion extension without a domain on a hosting service.
I'm thinking. If you can do it this way with .onion, can you do it with something else? That would be a bit unusual.
If that were possible, being able to customize the extensions would be interesting. Being able to customize brand names. Like .mybrand, or .egg, .bread, whatever you want.