Project

General

Profile

Feature #11556

Use Onion Services for APT

Added by flapflap about 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
07/03/2016
Due date:
% Done:

100%

Feature Branch:
feature/11556-apt-with-onions
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

Currently, /etc/apt/sources.list makes use of apt-transport-tor (tor+http://) to fetch the repo lists from the normal Debian mirrors via the Tor Exit node.
This could, however, be done through Tor entirely since there exist official mirrors that are Tor Onion Services, such as vwakviie2ienjx6t.onion.

https://wiki.debian.org/TorifyDebianServices

Pros:
  • Traffic stays within Tor, avoidance of metadata
  • End-to-End encryption to the Onion Service
  • (debatable) Fingerprinting of Tails users (what diffs were missing? when was the last package list update?) at the Tor Exit might become more difficult
Cons:
  • Adds load to the Onion mirror
  • Packages signed with GnuPG anyways
  • Might be slower than non-Onion Service access

Related issues

Related to Tails - Feature #8143: Use apt-transport-https to protect against security issues in APT? Rejected 10/16/2014

Associated revisions

Revision 8438ca88 (diff)
Added by intrigeri over 2 years ago

At boot time, point APT sources to Onion services (refs: #11556).

Revision e2510fae (diff)
Added by intrigeri over 2 years ago

Test suite: have APT tests configure APT to use non-onion sources (refs: #11556).

Our test suite uses Chutney to create a virtual, private Tor network, and thus
doesn't support connections to Onion services running in the real Tor network.

Too bad this change implies that don't exercise exactly the config we ship
anymore, but well, I don't think this should block addressing issues like
https://www.debian.org/security/2016/dsa-3733.

Note that we test in another, dedicated scenario that the URLs in APT sources
have the right (Onion) hostname.

Revision a5bd73ca
Added by anonym over 2 years ago

Merge remote-tracking branch 'origin/feature/11556-apt-with-onions' into devel

Fix-committed: #11556

Revision 4c12c601 (diff)
Added by anonym over 2 years ago

Test suite: we have to reconfigure APT before using it.

Refs: #11556

Revision c02640b4 (diff)
Added by bertagaz over 1 year ago

ASP: reference the commit explaining how to use APT in the test suite.

Using chutney requires to use non-onion APT sources.

Refs: #14572, #11556

History

#1 Updated by intrigeri about 3 years ago

  • Related to Feature #8143: Use apt-transport-https to protect against security issues in APT? added

#2 Updated by intrigeri about 3 years ago

  • Assignee set to flapflap
  • Type of work changed from Discuss to Research

See #8143 for the kind of research needed.

#3 Updated by intrigeri about 3 years ago

  • Subject changed from Use Onion Service Debian Mirror for APT to Research whether we should use Onion Services for APT
  • Status changed from New to Confirmed

#4 Updated by intrigeri about 3 years ago

(Meta: I made it clear to flapflap before he opened this ticket that to be useful, it had to take into account previous security discussions about similar topics, so I'm assigning it to him so he can do that.)

#5 Updated by hans about 3 years ago

If the apt traffic is forced over Tor using iptables rules, then you can use .onion addresses without having apt-transport-tor installed. Then .onion address then enforces that all traffic goes over Tor. Now that weasel has added official Onion Services for both the main archive and the security archive, this is possible to setup.
https://onion.debian.org

#6 Updated by intrigeri over 2 years ago

  • Subject changed from Research whether we should use Onion Services for APT to Use Onion Services for APT
  • Assignee changed from flapflap to intrigeri
  • Target version set to Tails 2.10
  • Type of work changed from Research to Code

intrigeri wrote:

(Meta: I made it clear to flapflap before he opened this ticket that to be useful, it had to take into account previous security discussions about similar topics, so I'm assigning it to him so he can do that.)

I did the "let's see what is blocking this?" dance, and the next steps I had documented (#8143#note-14) are off-topic on this ticket:

  • we already use apt-transport-tor, so there's no additional code introduced by switching to Onion APT mirrors;
  • there's an obvious solution to the build-time / apt-cacher-ng issue: #8143#note-23

And if we ever want HTTPS on top of Onions, well: apt-transport-tor supports that :)

So I'm going to deprecate #8143 in favor of this ticket, and prioritize this topic higher since https://www.debian.org/security/2016/dsa-3733 has shown us that security in depth has some value here.

#7 Updated by intrigeri over 2 years ago

... except that we don't provide any Onion service for http://deb.tails.boum.org/, and it's enough to have one APT source that's not authenticated end-to-end to weaken the whole thing. So either we need to fix that infrastructure problem first, and use the new Onion service; or we use HTTPS for that repo, but then the concerns about increasing the attack surface (discussed on #8143 already) re-appear.

#8 Updated by intrigeri over 2 years ago

intrigeri wrote:

... except that we don't provide any Onion service for http://deb.tails.boum.org/, and it's enough to have one APT source that's not authenticated end-to-end to weaken the whole thing. So either we need to fix that infrastructure problem first, and use the new Onion service; […]

Done, deb.t.b.o now has its onion service: http://jenw7xbd6tf7vfhp.onion/

#9 Updated by intrigeri over 2 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to feature/11556-apt-with-onions

#10 Updated by intrigeri over 2 years ago

  • Assignee changed from intrigeri to anonym
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

#11 Updated by anonym over 2 years ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (anonym)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

Works great!

#12 Updated by anonym over 2 years ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF