Debian and Tor Services available as Onion Services

by weasel | August 1, 2016

We, the Debian project and the Tor Project are enabling Tor onion services for several of our sites. These sites can now be reached without leaving the Tor network, providing a new option for securely connecting to resources provided by Debian and Tor.

The freedom to use open source software may be compromised when access to that software is monitored, logged, limited, prevented, or prohibited. As a community, we acknowledge that users should not feel that their every action is trackable or observable by others. Consequently, we are pleased to announce that we have started making several of the various web services provided by both Debian and Tor available via onion services.

While onion services can be used to conceal the network location of the machine providing the service, this is not the goal here. Instead, we employ onion services because they provide end-to-end integrity and confidentiality, and they authenticate the onion service end point.

For instance, when users connect to the onion service running at http://5ekxbftvqg26oir5wle3p27ax3wksbxcecnm6oemju7bjra2pn26s3qd.onion/ using a Tor-enabled browser such as the Tor Browser, they can be certain that their connection to the Debian website cannot be read or modified by third parties, and that the website that they are visiting is indeed the Debian website. In a sense, this is similar to what using HTTPS provides. However, crucially, onion services do not rely on third-party certificate authorities (CAs). Instead, the onion service name cryptographically authenticates its cryptographic key.

In addition to the Tor and Debian websites, the Debian FTP and the Debian Security archives are available from .onion addresses, enabling Debian users to update their systems using only Tor connections. With the apt-transport-tor package installed, the following three lines can replace the normal debian mirror entries in the apt configuration file (/etc/apt/sources.list):

deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian jessie main
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian jessie-updates main
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security jessie/updates main

Likewise, Tor's Debian package repository is available from an onion service :

deb tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org jessie main

Where appropriate, we provide services redundantly from several backend machines using OnionBalance. The Debian OnionBalance package is available from the Debian backports repository.

Lists of several other new onion services offered by Debian and Tor are available from https://onion.debian.org and https://onion.torproject.org respectively. We expect to expand these lists in the near future to cover even more of Debian's and Tor's services.

This article was edited in March 2023 to update links and switch to v3 onion adresses.

Comments

Please note that the comment area below has been archived.

August 01, 2016

Permalink

That's awesame! Thank you Tor project, thank you Debian project.

However:
... "For instance, when users connect to the onion service running at http://sejnfjrq6szgca7v.onion/ using a Tor-enabled browser such as the TorBrowser, " ...

So: what / where are other Tor-enabled browsers??

Thank you

August 01, 2016

Permalink

<3

August 01, 2016

Permalink

what an fantastic idea and use of tor hidden service :D

any chance of some one writing tutorial to make similar apt-get set up so can do same for unbutu or other linux especially for downloading tor bundle etc ?

August 01, 2016

Permalink

Another mirror from tor-talks:

  1. deb <a href="http://earthqfvaeuv5bla.onion/debian/" rel="nofollow">http://earthqfvaeuv5bla.onion/debian/</a> jessie main contrib non-free<br />
  2. deb-src <a href="http://earthqfvaeuv5bla.onion/debian/" rel="nofollow">http://earthqfvaeuv5bla.onion/debian/</a> jessie main contrib non-free

(torified with torsocks)

I must say it's fucking ridiculous. Few people several times asked in tor-talks about this feature, but answer from Tor Project was always "it's not of our priority, do onion mirrors for yourself if you want". It is funny that site of tor project did not support tor access (onion)! Thanks anyway, good job. It had to be done few years back.

August 01, 2016

Permalink

I've been using the hidden service repository for some time now. It's good to know that Debian is standing behind it and it's unlikely to just disappear now. Long overdue on hidden servicing the Tor website.

Keep up the good work!

August 02, 2016

Permalink

> deb tor+http://vwakviie2ienjx6t.onion/debian jessie main
> deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main
> deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main

Source? I am asking this because when I visit
https://www.torproject.org/docs/debian

it shows:
deb http://deb.torproject.org/torproject.org jessie main
deb-src http://deb.torproject.org/torproject.org jessie main

Really need to update www.torproject.org ASAP.

August 02, 2016

In reply to by Anonymous (not verified)

Permalink

There are a couple separate things here.

The lines you quoted are for downloading official Debian packages. vwakviie2ienjx6t.onion is equivalent to ftp.debian.org and sgvtcaew4bxjd7ln.onion is equivalent to security.debian.org.

So, if you are running Debian stable, and you already have Tor and the apt-transport-tor package installed, you can put those lines in your sources.list (in place of the original "http" sources), and thereby ensure that your system APT traffic goes over Tor. (For example, this might be helpful if you want to install 'cowsay' without your ISP finding out about it.)

The link you pointed to (https://www.torproject.org/docs/debian) contains instructions for installing packages that are built and published by the Tor Project (not by Debian.) You would use that repository if for some reason you need a newer version of Tor than the version currently shipped by Debian, and in that case you would *add* those lines to your sources.list (they're not a replacement for the main Debian archive.) And although you should be able to access those packages via apt-transport-tor if you want to (they're on sdscoq7snqtznauu.onion), that isn't useful information for somebody who is trying to install Tor for the first time.

August 02, 2016

Permalink

deb tor+http://.onion

you can set apt-get to use HTTP Proxy, set Privoxy to route traffic to Tor SOCKS5. No need to install apt-transport-tor, and also no need to set "tor+".

AFAIK that should work, but it also involves more moving pieces (i.e., more likely for something to break and leave you unable to fix it safely) and easier to screw up. Plus, Privoxy is designed to do a lot more than relaying HTTP connections, so even if it works perfectly, I wouldn't necessarily trust it never to break APT, or de-anonymize you in some subtle way.

I don't know what specifically motivated the development of apt-transport-tor, but I assume there are good reasons for it.

August 02, 2016

Permalink

I love you guys and gals so much. You are once again ahead of the curve. Thank you so much. Hopefully more projects follow in your footsteps. <3

August 02, 2016

Permalink

I'm currently using polipo+tor as a HTTP proxy in apt. This makes all my apt updates and package downloads go through tor; .onion urls will also work. What is the difference (benefit) of using apt-transport-tor over this solution?

August 02, 2016

Permalink

Any add-on for changing domain name to .onion? Darkweb-everywhere is discontinued and no one is working on it.

I'm a TBB user, and if TBB automatically convert domain to .onion one(if exist) things will be great.

August 02, 2016

Permalink

Will you update the bookmarks distributed with tor browser to point to the onion sites rather than the clearnet tor website etc.?

August 02, 2016

Permalink

> Instead, the onion service name cryptographically authenticates its cryptographic key.

LOL. The addresses are bruteforceable - unless it would be nearly impossible to get human-readable address. And the RSA1024 used for keys is considered not secure now. You have made a promise to bring ed25519 up by the winter 2016, but now I see it is still not implemented. I even doubt it worth to use ECC instead of old good RSA. To make the things worse https over tor is not used in tor HSs to mitigate choices of obsolete crypto and it is not clear what chain length is used. It looks like a sabotage.

lol
They forget that the user need : a clear control of the connection.
snowden propose that as project for tablet&cellphone but for a desktop, the users have not this feature (with the crypto option).
using onion for an update (when i update, it is on http) is not more or less secure unfortunatelly ... an update with torrent-onion should be maybe a better idea (torrent should verify the integrity of the files).
Anyway the source-list are not on https.
Nobody is perfect : debian mailing-list are not the right place (too many spammers & non-sens answers) for obtaining an intelligent answer.

August 02, 2016

Permalink

August 02, 2016

Permalink

I need help in installing Debian packages via Tor on a clean installation of Debian OS. Specifically the scenario is as follows:

1. I install Debian 8 using DVD-1 (debian-8.5.0-amd64-DVD-1.iso) without an internet connection.

2. After a successful installation, I reboot into the tty1 console because there is no GUI installed as yet.

3. I install xorg, gnome-core, synaptic, gdebi, etc. using DVD-1 without an internet connection. The aforementioned packages are available on DVD-1.

4. I reboot my machine and boot into Gnome GUI.

5. How do I install additional Debian packages via Tor? (It would appear that I need to have Tor package tor-browser-linux64-6.0.2_en-US.tar.xz downloaded from another computer and saved onto a USB stick, right?)

1 . debian 8 (live) dvd 1 : you insert it , and click on the icon install : bingo.
2 . something is wrong in your install because after a reboot you are not in a tty but on your desktop.
3 . no, you forgot check desktop gnome at the install
4 . like it is written at the beginning of this article (tor will be installed in the same time).tor 6.0.3 is the new version

2 . something is wrong in your install because after a reboot you are not in a tty but on your desktop.
3 . no, you forgot check desktop gnome at the install

I forgot to tell you that I did a minimal install. I do not want to install the full Gnome desktop environment because it is too massive and full of applications that I do not usually use.

That is why after a minimal install from DVD-1 and after a reboot, I go into tty1 (console) and no desktop environment.

August 02, 2016

Permalink

Thanks so much for doing this. We need more "mainstream" companies to embrace hidden services. I am very proud of Debian for this decision.

August 02, 2016

Permalink

Are these services' onion keys controlled by a different set of people than those who control the debian archive signing keys?

If so, that would mean that attackers wanting to serve malicious debian updates would need to compromise two people/systems instead of just one... which would be a nice improvement over the way things have been thus far.

August 02, 2016

Permalink

this is great! i use debian Operating System by default im trying to learn new languages and debian doesnt have very easily configurable VPN support but i use the tor bundle and hope to see more good updates for my OS also. thank you !

August 03, 2016

Permalink

Confused. If I install apt-transport-tor on debian, it then installs tor on my system. When I run TBB, a separate instance of tor runs on a different port. Does this have any anonymity implications using two different instances of Tor? One would be used mainly for updating my debian system (the tor version installed to my system), and the other for TBB activity. Can I or should I combine the different tor instances? If so, how? Or am I OK running both?

August 03, 2016

Permalink

Thank you thank you!

I've been asking for this for five years and its great to see it happening.

August 03, 2016

Permalink

About "deb tor+http://sdscoq7snqtznauu.onion/torproject.org jessie main": I noticed that the apt key (you can get it as "apt-key export 0x886DDD89 > file.txt") contains many slashes in the middle of text file:

  1. <br />
  2. ---<br />
  3. VMYzeESDnbsFnh4tCFlAseSMhj7TDQQH1/gCFWJl+61qRB/m6pX2hGWCYeZCw3m8<br />
  4. wqvILUbXkc70c9Iwl/2a+0mbtT7JI0TfnjC3ZDYLBfU10MtrxRTOWkaBHpx3g+YD<br />
  5. JWvKQRZ22T/gAOJz627ilMlXH3ayyCIEBCiL8YynrUo9zFdT07h+WDQcNiN6sa4J<br />
  6. q7/mJQpZosv1UF7d////////////////////////////////////////////////<br />
  7. ////////////////////////////////////////////////////////////////<br />
  8. ////////////////////////////////////////////////////////////////<br />
  9. ////////////////////////////////////////////////////////////////<br />
  10. //////////////+JAhwEEAECAAYFAlFwaUEACgkQuW8jAK0Ry+6hbA/9F4vOEUpa<br />
  11. Vz8Xfky83I7W6zP6q+z5KuUC3Bo1y/cN32KHSbD5sf5T49VWBeWTWDQ1j2E01EvG<br />
  12. 3aZRz6aD22036FrRGSpRixiODVaP1sO5HRr7cOG25L2GESNasEFPdRtNxZPmXEqR<br />
  13. SDLhKP4OHQ3vyykejaitQ3epHDdWQdjiFZzEC+Vet64S/onsiTi5n7wwyAkWV3ih<br />
  14. ---<br />

Is it normal? I've never seen such PGP keys.

August 09, 2016

In reply to by Anonymous (not verified)

Permalink

That is very concerning. We need an official response on this one!

Debian Project? Tor Project?

August 03, 2016

Permalink

I am a bit upset by dependencies of apt-transport-tor package, which requires tor to be installed. I use VM where Tor runs at host OS, so I don't need to run Tor in guest OS. However, I want to use torified apt-get inside my guest OS, so all traffic of guest OS goes through external (host OS) Tor proxy. Now to get it working I am forced to install Tor also in guest OS, and then disable it at startup.

Thanks for info, I didn't know about it. However, I doubt it is so simple. Since I'm using standard apt-get for installation and upgrade, that "fake" package must be very similar to real tor package, because installation/upgrade or apt-transport-tor requires ability to stop tor, start it, check its startup levels, and so on. If any of these actions fail, the whole upgrade or installation fails.

More accurate way to solve the problem is to prepare custom apt-transport-tor package which doesn't depend on tor in any way.

August 04, 2016

Permalink

You should also get an onion address for the Blog page. Otherwise one goes to the onion page for the Main Project, wants to read the latest news and is redirected to a non-onion site.

August 04, 2016

Permalink

Plz. FIX HIDDEN SERVICE first. The Onion address is a truncated SHA1 hash hich is prone to IMPERSONATION. SO, no matter how good TOR's actual crypto be, you might be connecting to a WRONG site. period

August 06, 2016

Permalink

Got it set up, works fine. However, when APT has to get something directly from another site that is not from Debian repositories, it defaults to downloading via wget over clearnet links. Is there a way to change the behavior of APT to download via TOR, maybe even using curl instead? Hopefully more distros follow this idea.

August 11, 2016

Permalink

Nice!

Any chance you could sign the list of onion addresses with a GPG key that's been associated with Tor for a while (eg the TBB key)?

Same question to Debian: could their list of addresses be signed by an already-trusted debian key?

August 16, 2016

Permalink

Though a slightly delayed reply, should anyone seek to update a Debian system through a secure connection but feel slightly overwhelmed to do so using tor, there are some primary and secondary Debian mirror sites (https://www.debian.org/mirror/list) that accept https connections. The Debian mirror site for Singapore at "https://ftp.sg.debian.org/debian/" for example provides such scheme to perform updates. A number of secondary Debian mirror sites also accept secure connections of which the following

. https://mirror.as35701.net/debian/ (Belgium)
. https://debian.ludost.net/debian/ (Bulgaria)
. https://ftp.sh.cvut.cz/debian/ (Czech Republic)
. https://mirror.dkm.cz/debian/ (Czech Republic)
. https://mirrors.dotsrc.org/debian/ (Denmark)
. https://mirror.t-home.mk/debian (Macedonia)

Going through the list to choose sources is time consuming and seemingly resources heavy but other such mirrors should provide with the opportunity to perform updates through a secure connection. Installing apt-transport-https enables the update system to reach secure ports.

From what I remember, the Debian security repositories are open to the Debian security team only. As such the address "security.debian.org" seems to not provide similar connection types. The onion address at "https://sgvtcaew4bxjd7ln.onion/" seems to be at the moment the only choice available should anyone wish to perform Debian security updates using a secure connection.

I find that secure protocols such as https which provide an initial layer of abstraction by default are good enough for most people. I would support an initiative to make available such protocols as a default option when using Debian repositories for updates.

August 20, 2016

Permalink

Hello,
why not publish some type or use MapAdress feature for this known addressses to secure users already running tor even more?

Like:
MapAddress www.torproject.org expyuzz4wqqyqhjn.onion