Debian and Tor Services available as Onion Services
We, the Debian project and the Tor Project are enabling Tor onion services for several of our sites. These sites can now be reached without leaving the Tor network, providing a new option for securely connecting to resources provided by Debian and Tor.
The freedom to use open source software may be compromised when access to that software is monitored, logged, limited, prevented, or prohibited. As a community, we acknowledge that users should not feel that their every action is trackable or observable by others. Consequently, we are pleased to announce that we have started making several of the various web services provided by both Debian and Tor available via onion services.
While onion services can be used to conceal the network location of the machine providing the service, this is not the goal here. Instead, we employ onion services because they provide end-to-end integrity and confidentiality, and they authenticate the onion service end point.
For instance, when users connect to the onion service running at http://5ekxbftvqg26oir5wle3p27ax3wksbxcecnm6oemju7bjra2pn26s3qd.onion/ using a Tor-enabled browser such as the Tor Browser, they can be certain that their connection to the Debian website cannot be read or modified by third parties, and that the website that they are visiting is indeed the Debian website. In a sense, this is similar to what using HTTPS provides. However, crucially, onion services do not rely on third-party certificate authorities (CAs). Instead, the onion service name cryptographically authenticates its cryptographic key.
In addition to the Tor and Debian websites, the Debian FTP and the Debian Security archives are available from .onion addresses, enabling Debian users to update their systems using only Tor connections. With the apt-transport-tor package installed, the following three lines can replace the normal debian mirror entries in the apt configuration file (/etc/apt/sources.list
):
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian jessie main
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian jessie-updates main
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security jessie/updates main
Likewise, Tor's Debian package repository is available from an onion service :
deb tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org jessie main
Where appropriate, we provide services redundantly from several backend machines using OnionBalance. The Debian OnionBalance package is available from the Debian backports repository.
Lists of several other new onion services offered by Debian and Tor are available from https://onion.debian.org and https://onion.torproject.org respectively. We expect to expand these lists in the near future to cover even more of Debian's and Tor's services.
This article was edited in March 2023 to update links and switch to v3 onion adresses.
Comments
Please note that the comment area below has been archived.
That's awesame! Thank you
That's awesame! Thank you Tor project, thank you Debian project.
However:
... "For instance, when users connect to the onion service running at http://sejnfjrq6szgca7v.onion/ using a Tor-enabled browser such as the TorBrowser, " ...
So: what / where are other Tor-enabled browsers??
Thank you
Any browser pointing at the
Any browser pointing at the Tor socks proxy
<3
<3
what an fantastic idea and
what an fantastic idea and use of tor hidden service :D
any chance of some one writing tutorial to make similar apt-get set up so can do same for unbutu or other linux especially for downloading tor bundle etc ?
Just add deb
Just add
deb tor+http://sdscoq7snqtznauu.onion/torproject.org precise main
Instead of precise add the name of your Ubuntu version
ubuntu is not safe to use :
ubuntu is not safe to use : backdoor + new aws in uk where ubuntu server are and its enterprise too !
Agree. Although Canonical
Agree. Although Canonical (the company behind Ubuntu) promised not to spy on the user anymore (see https://en.wikipedia.org/wiki/Ubuntu_%28operating_system%29#Amazon_cont… for details), I no longer trust it. I will recommend Debian nowadays, which is community-driven and they even have their own hidden service (https://onion.debian.org).
I don't recommend either,
I don't recommend either, Linux Mint is superior to both ubuntu and debian in terms of stability and functionality.
Just keep a copy of the
Just keep a copy of the bundle on a USB drive, it will update after installation
how awesome!
how awesome!
Another mirror from
Another mirror from tor-talks:
(torified with torsocks)
I must say it's fucking ridiculous. Few people several times asked in tor-talks about this feature, but answer from Tor Project was always "it's not of our priority, do onion mirrors for yourself if you want". It is funny that site of tor project did not support tor access (onion)! Thanks anyway, good job. It had to be done few years back.
I've been using the hidden
I've been using the hidden service repository for some time now. It's good to know that Debian is standing behind it and it's unlikely to just disappear now. Long overdue on hidden servicing the Tor website.
Keep up the good work!
damn i need to get Pi3 fast
damn i need to get Pi3 fast and setup my lil relay
SOMEONE! Ask about this to
SOMEONE! Ask about this to Raspbian(debian fork), Ubuntu, and ArchLinux!
People really need to use .onion more!
https://www.raspberrypi.org/contact/
I already did it, but your vode seriously counts!
> deb
> deb tor+http://vwakviie2ienjx6t.onion/debian jessie main
> deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main
> deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main
Source? I am asking this because when I visit
https://www.torproject.org/docs/debian
it shows:
deb http://deb.torproject.org/torproject.org jessie main
deb-src http://deb.torproject.org/torproject.org jessie main
Really need to update www.torproject.org ASAP.
There are a couple separate
There are a couple separate things here.
The lines you quoted are for downloading official Debian packages. vwakviie2ienjx6t.onion is equivalent to ftp.debian.org and sgvtcaew4bxjd7ln.onion is equivalent to security.debian.org.
So, if you are running Debian stable, and you already have Tor and the apt-transport-tor package installed, you can put those lines in your sources.list (in place of the original "http" sources), and thereby ensure that your system APT traffic goes over Tor. (For example, this might be helpful if you want to install 'cowsay' without your ISP finding out about it.)
The link you pointed to (https://www.torproject.org/docs/debian) contains instructions for installing packages that are built and published by the Tor Project (not by Debian.) You would use that repository if for some reason you need a newer version of Tor than the version currently shipped by Debian, and in that case you would *add* those lines to your sources.list (they're not a replacement for the main Debian archive.) And although you should be able to access those packages via apt-transport-tor if you want to (they're on sdscoq7snqtznauu.onion), that isn't useful information for somebody who is trying to install Tor for the first time.
deb tor+http://.onion you
deb tor+http://.onion
you can set apt-get to use HTTP Proxy, set Privoxy to route traffic to Tor SOCKS5. No need to install apt-transport-tor, and also no need to set "tor+".
AFAIK that should work, but
AFAIK that should work, but it also involves more moving pieces (i.e., more likely for something to break and leave you unable to fix it safely) and easier to screw up. Plus, Privoxy is designed to do a lot more than relaying HTTP connections, so even if it works perfectly, I wouldn't necessarily trust it never to break APT, or de-anonymize you in some subtle way.
I don't know what specifically motivated the development of apt-transport-tor, but I assume there are good reasons for it.
I love you guys and gals so
I love you guys and gals so much. You are once again ahead of the curve. Thank you so much. Hopefully more projects follow in your footsteps. <3
I'm currently using
I'm currently using polipo+tor as a HTTP proxy in apt. This makes all my apt updates and package downloads go through tor; .onion urls will also work. What is the difference (benefit) of using apt-transport-tor over this solution?
Any add-on for changing
Any add-on for changing domain name to .onion? Darkweb-everywhere is discontinued and no one is working on it.
I'm a TBB user, and if TBB automatically convert domain to .onion one(if exist) things will be great.
Will you update the
Will you update the bookmarks distributed with tor browser to point to the onion sites rather than the clearnet tor website etc.?
> Instead, the onion service
> Instead, the onion service name cryptographically authenticates its cryptographic key.
LOL. The addresses are bruteforceable - unless it would be nearly impossible to get human-readable address. And the RSA1024 used for keys is considered not secure now. You have made a promise to bring ed25519 up by the winter 2016, but now I see it is still not implemented. I even doubt it worth to use ECC instead of old good RSA. To make the things worse https over tor is not used in tor HSs to mitigate choices of obsolete crypto and it is not clear what chain length is used. It looks like a sabotage.
lol They forget that the
lol
They forget that the user need : a clear control of the connection.
snowden propose that as project for tablet&cellphone but for a desktop, the users have not this feature (with the crypto option).
using onion for an update (when i update, it is on http) is not more or less secure unfortunatelly ... an update with torrent-onion should be maybe a better idea (torrent should verify the integrity of the files).
Anyway the source-list are not on https.
Nobody is perfect : debian mailing-list are not the right place (too many spammers & non-sens answers) for obtaining an intelligent answer.
backports.debian.org:
backports.debian.org: http://6f6ejaiiixypfqaf.onion/ and deb.torproject.org: http://sdscoq7snqtznauu.onion/ are not working.
W: Failed to fetch tor+http://6f6ejaiiixypfqaf.onion/dists/jessie-backports/main/source/Sources HttpError404
W: Failed to fetch tor+http://6f6ejaiiixypfqaf.onion/dists/jessie-backports/contrib/source/Sou… HttpError404
W: Failed to fetch tor+http://6f6ejaiiixypfqaf.onion/dists/jessie-backports/non-free/source/So… HttpError404
W: Failed to fetch tor+http://6f6ejaiiixypfqaf.onion/dists/jessie-backports/main/binary-amd64/… HttpError404
W: Failed to fetch tor+http://6f6ejaiiixypfqaf.onion/dists/jessie-backports/contrib/binary-amd… HttpError404
W: Failed to fetch tor+http://6f6ejaiiixypfqaf.onion/dists/jessie-backports/non-free/binary-am… HttpError404
W: Failed to fetch tor+http://sdscoq7snqtznauu.onion/torproject.org/dists/jessie/main/binary-a… Can't complete SOCKS5 connection to 0.0.0.0:0. (4)
The jessie-backports suite
The jessie-backports suite lives on ftp.debian.org, not backports.debian.org, so you'll find it on http://vwakviie2ienjx6t.onion/debian instead.
I need help in installing
I need help in installing Debian packages via Tor on a clean installation of Debian OS. Specifically the scenario is as follows:
1. I install Debian 8 using DVD-1 (debian-8.5.0-amd64-DVD-1.iso) without an internet connection.
2. After a successful installation, I reboot into the tty1 console because there is no GUI installed as yet.
3. I install xorg, gnome-core, synaptic, gdebi, etc. using DVD-1 without an internet connection. The aforementioned packages are available on DVD-1.
4. I reboot my machine and boot into Gnome GUI.
5. How do I install additional Debian packages via Tor? (It would appear that I need to have Tor package tor-browser-linux64-6.0.2_en-US.tar.xz downloaded from another computer and saved onto a USB stick, right?)
1 . debian 8 (live) dvd 1 :
1 . debian 8 (live) dvd 1 : you insert it , and click on the icon install : bingo.
2 . something is wrong in your install because after a reboot you are not in a tty but on your desktop.
3 . no, you forgot check desktop gnome at the install
4 . like it is written at the beginning of this article (tor will be installed in the same time).tor 6.0.3 is the new version
2 . something is wrong in
2 . something is wrong in your install because after a reboot you are not in a tty but on your desktop.
3 . no, you forgot check desktop gnome at the install
I forgot to tell you that I did a minimal install. I do not want to install the full Gnome desktop environment because it is too massive and full of applications that I do not usually use.
That is why after a minimal install from DVD-1 and after a reboot, I go into tty1 (console) and no desktop environment.
Thanks so much for doing
Thanks so much for doing this. We need more "mainstream" companies to embrace hidden services. I am very proud of Debian for this decision.
wow thats huge <3
wow thats huge <3
Are these services' onion
Are these services' onion keys controlled by a different set of people than those who control the debian archive signing keys?
If so, that would mean that attackers wanting to serve malicious debian updates would need to compromise two people/systems instead of just one... which would be a nice improvement over the way things have been thus far.
There is no page for
There is no page for [geshifilter-code]https://blog.torproject.org[/geshifilter-code] at [geshifilter-code]https://onion.torproject.org/[/geshifilter-code]. Why?
this is great! i use debian
this is great! i use debian Operating System by default im trying to learn new languages and debian doesnt have very easily configurable VPN support but i use the tor bundle and hope to see more good updates for my OS also. thank you !
debian offers a large choice
debian offers a large choice of vpn support very easily configurable ; it is more r less user-friendly depending on the choice of your desktop : gnome e.g.
onion does not work for
onion does not work for forum, mailing-list debian.
it does now.
it does now.
Confused. If I install
Confused. If I install apt-transport-tor on debian, it then installs tor on my system. When I run TBB, a separate instance of tor runs on a different port. Does this have any anonymity implications using two different instances of Tor? One would be used mainly for updating my debian system (the tor version installed to my system), and the other for TBB activity. Can I or should I combine the different tor instances? If so, how? Or am I OK running both?
It is possible to configure
It is possible to configure Tor Browser to use the system Tor daemon:
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#Ru…
However, it is not a problem having multiple Tor daemons running, so you can keep doing that.
Thank you thank you! I've
Thank you thank you!
I've been asking for this for five years and its great to see it happening.
I came here:
I came here: http://sejnfjrq6szgca7v.onion/distrib/packages, then I typed "tor" in search keyword, and the page with results was redirected to standard clearnet page: https://packages.debian.org/search?searchon=contents&keywords=tor&mode=…. Debian doing it wrong.
About "deb
About "deb tor+http://sdscoq7snqtznauu.onion/torproject.org jessie main": I noticed that the apt key (you can get it as "apt-key export 0x886DDD89 > file.txt") contains many slashes in the middle of text file:
Is it normal? I've never seen such PGP keys.
That is very concerning. We
That is very concerning. We need an official response on this one!
Debian Project? Tor Project?
That's a key from tor
That's a key from tor project, they are responsible for this. Maybe it follows from PGP format, but I don't know.
How to get onion version of
How to get onion version of the page https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk/? When I click on "tor-talk" on the page http://expyuzz4wqqyqhjn.onion/docs/documentation.html.en, it redirects me to clearnet page. When ALL torproject services will be accessible through HS?
I am a bit upset by
I am a bit upset by dependencies of apt-transport-tor package, which requires tor to be installed. I use VM where Tor runs at host OS, so I don't need to run Tor in guest OS. However, I want to use torified apt-get inside my guest OS, so all traffic of guest OS goes through external (host OS) Tor proxy. Now to get it working I am forced to install Tor also in guest OS, and then disable it at startup.
You can use 'equivs' to
You can use 'equivs' to create a fake 'tor' package to satisfy the dependency. Might be simpler in your case.
Thanks for info, I didn't
Thanks for info, I didn't know about it. However, I doubt it is so simple. Since I'm using standard apt-get for installation and upgrade, that "fake" package must be very similar to real tor package, because installation/upgrade or apt-transport-tor requires ability to stop tor, start it, check its startup levels, and so on. If any of these actions fail, the whole upgrade or installation fails.
More accurate way to solve the problem is to prepare custom apt-transport-tor package which doesn't depend on tor in any way.
You should also get an onion
You should also get an onion address for the Blog page. Otherwise one goes to the onion page for the Main Project, wants to read the latest news and is redirected to a non-onion site.
Plz. FIX HIDDEN SERVICE
Plz. FIX HIDDEN SERVICE first. The Onion address is a truncated SHA1 hash hich is prone to IMPERSONATION. SO, no matter how good TOR's actual crypto be, you might be connecting to a WRONG site. period
Got it set up, works fine.
Got it set up, works fine. However, when APT has to get something directly from another site that is not from Debian repositories, it defaults to downloading via wget over clearnet links. Is there a way to change the behavior of APT to download via TOR, maybe even using curl instead? Hopefully more distros follow this idea.
If "tor+http(s)" is
If "tor+http(s)" is specified in sources.list, these clearnet links are downloaded through Tor anyway.
Very good work, thank you
Very good work, thank you Tor + Debian!
Why no onion service for
Why no onion service for blog.torproject.org?
Nice! Any chance you could
Nice!
Any chance you could sign the list of onion addresses with a GPG key that's been associated with Tor for a while (eg the TBB key)?
Same question to Debian: could their list of addresses be signed by an already-trusted debian key?
Though a slightly delayed
Though a slightly delayed reply, should anyone seek to update a Debian system through a secure connection but feel slightly overwhelmed to do so using tor, there are some primary and secondary Debian mirror sites (https://www.debian.org/mirror/list) that accept https connections. The Debian mirror site for Singapore at "https://ftp.sg.debian.org/debian/" for example provides such scheme to perform updates. A number of secondary Debian mirror sites also accept secure connections of which the following
. https://mirror.as35701.net/debian/ (Belgium)
. https://debian.ludost.net/debian/ (Bulgaria)
. https://ftp.sh.cvut.cz/debian/ (Czech Republic)
. https://mirror.dkm.cz/debian/ (Czech Republic)
. https://mirrors.dotsrc.org/debian/ (Denmark)
. https://mirror.t-home.mk/debian (Macedonia)
Going through the list to choose sources is time consuming and seemingly resources heavy but other such mirrors should provide with the opportunity to perform updates through a secure connection. Installing apt-transport-https enables the update system to reach secure ports.
From what I remember, the Debian security repositories are open to the Debian security team only. As such the address "security.debian.org" seems to not provide similar connection types. The onion address at "https://sgvtcaew4bxjd7ln.onion/" seems to be at the moment the only choice available should anyone wish to perform Debian security updates using a secure connection.
I find that secure protocols such as https which provide an initial layer of abstraction by default are good enough for most people. I would support an initiative to make available such protocols as a default option when using Debian repositories for updates.
Hello, why not publish some
Hello,
why not publish some type or use MapAdress feature for this known addressses to secure users already running tor even more?
Like:
MapAddress www.torproject.org expyuzz4wqqyqhjn.onion
The official Debian
The official Debian announcement is at
http://4ypuji3wwrg5zoxm.onion/2016/08/debian-and-tor-services-available…
That points to the onion service version of Debian Bits, the official Debian blog.
Can you make blog.torproject.org available as an onion service also?