Debian and Tor Services available as Onion Services

We, the Debian project and the Tor Project are enabling Tor onion services for several of our sites. These sites can now be reached without leaving the Tor network, providing a new option for securely connecting to resources provided by Debian and Tor.

The freedom to use open source software may be compromised when access to that software is monitored, logged, limited, prevented, or prohibited. As a community, we acknowledge that users should not feel that their every action is trackable or observable by others. Consequently, we are pleased to announce that we have started making several of the various web services provided by both Debian and Tor available via onion services.

While onion services can be used to conceal the network location of the machine providing the service, this is not the goal here. Instead, we employ onion services because they provide end-to-end integrity and confidentiality, and they authenticate the onion service end point.

For instance, when users connect to the onion service running at http://sejnfjrq6szgca7v.onion/ using a Tor-enabled browser such as the Tor Browser, they can be certain that their connection to the Debian website cannot be read or modified by third parties, and that the website that they are visiting is indeed the Debian website. In a sense, this is similar to what using HTTPS provides. However, crucially, onion services do not rely on third-party certificate authorities (CAs). Instead, the onion service name cryptographically authenticates its cryptographic key.

In addition to the Tor and Debian websites, the Debian FTP and the Debian Security archives are available from .onion addresses, enabling Debian users to update their systems using only Tor connections. With the apt-transport-tor package installed, the following three lines can replace the normal debian mirror entries in the apt configuration file (/etc/apt/sources.list):

deb tor+http://vwakviie2ienjx6t.onion/debian jessie main
deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main

Likewise, Tor's Debian package repository is available from an onion service :

deb tor+http://sdscoq7snqtznauu.onion/torproject.org jessie main

Where appropriate, we provide services redundantly from several backend machines using OnionBalance. The Debian OnionBalance package is available from the Debian backports repository.

Lists of several other new onion services offered by Debian and Tor are available from https://onion.debian.org and https://onion.torproject.org respectively. We expect to expand these lists in the near future to cover even more of Debian's and Tor's services.

Anonymous

August 01, 2016

Permalink

That's awesame! Thank you Tor project, thank you Debian project.

However:
... "For instance, when users connect to the onion service running at http://sejnfjrq6szgca7v.onion/ using a Tor-enabled browser such as the TorBrowser, " ...

So: what / where are other Tor-enabled browsers??

Thank you

Anonymous

August 01, 2016

Permalink

<3

Anonymous

August 01, 2016

Permalink

what an fantastic idea and use of tor hidden service :D

any chance of some one writing tutorial to make similar apt-get set up so can do same for unbutu or other linux especially for downloading tor bundle etc ?

Agree. Although Canonical (the company behind Ubuntu) promised not to spy on the user anymore (see https://en.wikipedia.org/wiki/Ubuntu_%28operating_system%29#Amazon_cont… for details), I no longer trust it. I will recommend Debian nowadays, which is community-driven and they even have their own hidden service (https://onion.debian.org).

Anonymous

August 01, 2016

Permalink

Another mirror from tor-talks:

  1. deb <a href="http://earthqfvaeuv5bla.onion/debian/" rel="nofollow">http://earthqfvaeuv5bla.onion/debian/</a> jessie main contrib non-free<br />
  2. deb-src <a href="http://earthqfvaeuv5bla.onion/debian/" rel="nofollow">http://earthqfvaeuv5bla.onion/debian/</a> jessie main contrib non-free

(torified with torsocks)

I must say it's fucking ridiculous. Few people several times asked in tor-talks about this feature, but answer from Tor Project was always "it's not of our priority, do onion mirrors for yourself if you want". It is funny that site of tor project did not support tor access (onion)! Thanks anyway, good job. It had to be done few years back.

Anonymous

August 01, 2016

Permalink

I've been using the hidden service repository for some time now. It's good to know that Debian is standing behind it and it's unlikely to just disappear now. Long overdue on hidden servicing the Tor website.

Keep up the good work!

Anonymous

August 02, 2016

Permalink

> deb tor+http://vwakviie2ienjx6t.onion/debian jessie main
> deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main
> deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main

Source? I am asking this because when I visit
https://www.torproject.org/docs/debian

it shows:
deb http://deb.torproject.org/torproject.org jessie main
deb-src http://deb.torproject.org/torproject.org jessie main

Really need to update www.torproject.org ASAP.

Anonymous

August 02, 2016

In reply to by Anonymous (not verified)

Permalink

There are a couple separate things here.

The lines you quoted are for downloading official Debian packages. vwakviie2ienjx6t.onion is equivalent to ftp.debian.org and sgvtcaew4bxjd7ln.onion is equivalent to security.debian.org.

So, if you are running Debian stable, and you already have Tor and the apt-transport-tor package installed, you can put those lines in your sources.list (in place of the original "http" sources), and thereby ensure that your system APT traffic goes over Tor. (For example, this might be helpful if you want to install 'cowsay' without your ISP finding out about it.)

The link you pointed to (https://www.torproject.org/docs/debian) contains instructions for installing packages that are built and published by the Tor Project (not by Debian.) You would use that repository if for some reason you need a newer version of Tor than the version currently shipped by Debian, and in that case you would *add* those lines to your sources.list (they're not a replacement for the main Debian archive.) And although you should be able to access those packages via apt-transport-tor if you want to (they're on sdscoq7snqtznauu.onion), that isn't useful information for somebody who is trying to install Tor for the first time.

Anonymous

August 02, 2016

Permalink

deb tor+http://.onion

you can set apt-get to use HTTP Proxy, set Privoxy to route traffic to Tor SOCKS5. No need to install apt-transport-tor, and also no need to set "tor+".

AFAIK that should work, but it also involves more moving pieces (i.e., more likely for something to break and leave you unable to fix it safely) and easier to screw up. Plus, Privoxy is designed to do a lot more than relaying HTTP connections, so even if it works perfectly, I wouldn't necessarily trust it never to break APT, or de-anonymize you in some subtle way.

I don't know what specifically motivated the development of apt-transport-tor, but I assume there are good reasons for it.

Anonymous

August 02, 2016

Permalink

I love you guys and gals so much. You are once again ahead of the curve. Thank you so much. Hopefully more projects follow in your footsteps. <3

Anonymous

August 02, 2016

Permalink

I'm currently using polipo+tor as a HTTP proxy in apt. This makes all my apt updates and package downloads go through tor; .onion urls will also work. What is the difference (benefit) of using apt-transport-tor over this solution?

Anonymous

August 02, 2016

Permalink

Any add-on for changing domain name to .onion? Darkweb-everywhere is discontinued and no one is working on it.

I'm a TBB user, and if TBB automatically convert domain to .onion one(if exist) things will be great.

Anonymous

August 02, 2016

Permalink

Will you update the bookmarks distributed with tor browser to point to the onion sites rather than the clearnet tor website etc.?

Anonymous

August 02, 2016

Permalink

> Instead, the onion service name cryptographically authenticates its cryptographic key.

LOL. The addresses are bruteforceable - unless it would be nearly impossible to get human-readable address. And the RSA1024 used for keys is considered not secure now. You have made a promise to bring ed25519 up by the winter 2016, but now I see it is still not implemented. I even doubt it worth to use ECC instead of old good RSA. To make the things worse https over tor is not used in tor HSs to mitigate choices of obsolete crypto and it is not clear what chain length is used. It looks like a sabotage.

lol
They forget that the user need : a clear control of the connection.
snowden propose that as project for tablet&cellphone but for a desktop, the users have not this feature (with the crypto option).
using onion for an update (when i update, it is on http) is not more or less secure unfortunatelly ... an update with torrent-onion should be maybe a better idea (torrent should verify the integrity of the files).
Anyway the source-list are not on https.
Nobody is perfect : debian mailing-list are not the right place (too many spammers & non-sens answers) for obtaining an intelligent answer.

Anonymous

August 02, 2016

Permalink
Anonymous

August 02, 2016

Permalink

I need help in installing Debian packages via Tor on a clean installation of Debian OS. Specifically the scenario is as follows:

1. I install Debian 8 using DVD-1 (debian-8.5.0-amd64-DVD-1.iso) without an internet connection.

2. After a successful installation, I reboot into the tty1 console because there is no GUI installed as yet.

3. I install xorg, gnome-core, synaptic, gdebi, etc. using DVD-1 without an internet connection. The aforementioned packages are available on DVD-1.

4. I reboot my machine and boot into Gnome GUI.

5. How do I install additional Debian packages via Tor? (It would appear that I need to have Tor package tor-browser-linux64-6.0.2_en-US.tar.xz downloaded from another computer and saved onto a USB stick, right?)

1 . debian 8 (live) dvd 1 : you insert it , and click on the icon install : bingo.
2 . something is wrong in your install because after a reboot you are not in a tty but on your desktop.
3 . no, you forgot check desktop gnome at the install
4 . like it is written at the beginning of this article (tor will be installed in the same time).tor 6.0.3 is the new version

2 . something is wrong in your install because after a reboot you are not in a tty but on your desktop.
3 . no, you forgot check desktop gnome at the install

I forgot to tell you that I did a minimal install. I do not want to install the full Gnome desktop environment because it is too massive and full of applications that I do not usually use.

That is why after a minimal install from DVD-1 and after a reboot, I go into tty1 (console) and no desktop environment.

Anonymous

August 02, 2016

Permalink

Thanks so much for doing this. We need more "mainstream" companies to embrace hidden services. I am very proud of Debian for this decision.

Anonymous

August 02, 2016

Permalink

Are these services' onion keys controlled by a different set of people than those who control the debian archive signing keys?

If so, that would mean that attackers wanting to serve malicious debian updates would need to compromise two people/systems instead of just one... which would be a nice improvement over the way things have been thus far.

Anonymous

August 02, 2016

Permalink

this is great! i use debian Operating System by default im trying to learn new languages and debian doesnt have very easily configurable VPN support but i use the tor bundle and hope to see more good updates for my OS also. thank you !

debian offers a large choice of vpn support very easily configurable ; it is more r less user-friendly depending on the choice of your desktop : gnome e.g.

Anonymous

August 03, 2016

Permalink

Confused. If I install apt-transport-tor on debian, it then installs tor on my system. When I run TBB, a separate instance of tor runs on a different port. Does this have any anonymity implications using two different instances of Tor? One would be used mainly for updating my debian system (the tor version installed to my system), and the other for TBB activity. Can I or should I combine the different tor instances? If so, how? Or am I OK running both?

Anonymous

August 03, 2016

Permalink

Thank you thank you!

I've been asking for this for five years and its great to see it happening.

Anonymous

August 03, 2016

Permalink

About "deb tor+http://sdscoq7snqtznauu.onion/torproject.org jessie main": I noticed that the apt key (you can get it as "apt-key export 0x886DDD89 > file.txt") contains many slashes in the middle of text file:

  1. <br />
  2. ---<br />
  3. VMYzeESDnbsFnh4tCFlAseSMhj7TDQQH1/gCFWJl+61qRB/m6pX2hGWCYeZCw3m8<br />
  4. wqvILUbXkc70c9Iwl/2a+0mbtT7JI0TfnjC3ZDYLBfU10MtrxRTOWkaBHpx3g+YD<br />
  5. JWvKQRZ22T/gAOJz627ilMlXH3ayyCIEBCiL8YynrUo9zFdT07h+WDQcNiN6sa4J<br />
  6. q7/mJQpZosv1UF7d////////////////////////////////////////////////<br />
  7. ////////////////////////////////////////////////////////////////<br />
  8. ////////////////////////////////////////////////////////////////<br />
  9. ////////////////////////////////////////////////////////////////<br />
  10. //////////////+JAhwEEAECAAYFAlFwaUEACgkQuW8jAK0Ry+6hbA/9F4vOEUpa<br />
  11. Vz8Xfky83I7W6zP6q+z5KuUC3Bo1y/cN32KHSbD5sf5T49VWBeWTWDQ1j2E01EvG<br />
  12. 3aZRz6aD22036FrRGSpRixiODVaP1sO5HRr7cOG25L2GESNasEFPdRtNxZPmXEqR<br />
  13. SDLhKP4OHQ3vyykejaitQ3epHDdWQdjiFZzEC+Vet64S/onsiTi5n7wwyAkWV3ih<br />
  14. ---<br />

Is it normal? I've never seen such PGP keys.

Anonymous

August 09, 2016

In reply to by Anonymous (not verified)

Permalink

That is very concerning. We need an official response on this one!

Debian Project? Tor Project?

Anonymous

August 03, 2016

Permalink

I am a bit upset by dependencies of apt-transport-tor package, which requires tor to be installed. I use VM where Tor runs at host OS, so I don't need to run Tor in guest OS. However, I want to use torified apt-get inside my guest OS, so all traffic of guest OS goes through external (host OS) Tor proxy. Now to get it working I am forced to install Tor also in guest OS, and then disable it at startup.

You can use 'equivs' to create a fake 'tor' package to satisfy the dependency. Might be simpler in your case.

Thanks for info, I didn't know about it. However, I doubt it is so simple. Since I'm using standard apt-get for installation and upgrade, that "fake" package must be very similar to real tor package, because installation/upgrade or apt-transport-tor requires ability to stop tor, start it, check its startup levels, and so on. If any of these actions fail, the whole upgrade or installation fails.

More accurate way to solve the problem is to prepare custom apt-transport-tor package which doesn't depend on tor in any way.

Anonymous

August 04, 2016

Permalink

You should also get an onion address for the Blog page. Otherwise one goes to the onion page for the Main Project, wants to read the latest news and is redirected to a non-onion site.

Anonymous

August 04, 2016

Permalink

Plz. FIX HIDDEN SERVICE first. The Onion address is a truncated SHA1 hash hich is prone to IMPERSONATION. SO, no matter how good TOR's actual crypto be, you might be connecting to a WRONG site. period