Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Tor+http sources - Security InRelease

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
Fasterandfaster
Posts: 35
Joined: 2023-02-06 21:55
Been thanked: 1 time

Tor+http sources - Security InRelease

#1 Post by Fasterandfaster »

Does anyone know what is happening to the tor+http Security sources?

I get error messages saying that
5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye/updates
is not gpg signed making it InRelease and therefore cannot be updated safely.

Also, I constantly get "timed out" error messages but sometimes if I change circuits enough, this error does not occur.

What is interfering with tor and how do I secure it. I have md5sum and sha256 verified tor transports and tried reinstalling. Getting the transport through apt produced the same inconsistent downloading and error messages.

Aki
Global Moderator
Global Moderator
Posts: 2823
Joined: 2014-07-20 18:12
Location: Europe
Has thanked: 69 times
Been thanked: 385 times

Re: Tor+http sources - Security InRelease

#2 Post by Aki »

Hello,
It's an interesting topic. Debian has been providing tor/onion services for several years [1]. Here is [2] the "Bits from Debian" press release with a detailed description and instructions from 2016.

I'm not a tor expert, but your post was an opportunity to perform a test and to configure a Debian Bookworm to access these services.

I installed the apt-transport-tor package and the required dependencies. Then I configured the /etc/apt/sources.list according to addresses listed in [1]:

Code: Select all

deb  tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main
deb  tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bookworm-security main
Then, I updated the local repository and upgraded the installation without big issues. The connection was slow at the beginning of the update (I got one time out error), but after a while I suppose the tor circuits where more stable and I was able to upgrade 151 packages in my Debian Bookworm using onion debian repositories without any major issue.

Hope that helps.

---
[1] https://onion.debian.org/
[2] https://bits.debian.org/2016/08/debian- ... vices.html
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀

Fasterandfaster
Posts: 35
Joined: 2023-02-06 21:55
Been thanked: 1 time

Re: Tor+http sources - Security InRelease

#3 Post by Fasterandfaster »

Thanks for that reply. I may try Bookworm. The latest edition is more innovative but stable is more reliable/secure, is that the way to look at it? I will mention that there is something that interferes with tor on multiple OSes, devices, and access points/ISPs. I was getting tor + http after second tries of apt update without many time outs and sometimes with complete success but now I am totally timed out and had to return to https transport. There is also the gpg signing issue for security sources which if you ignore would be accepting a vulnerability in your security, which doesn't sound like a good option to take to me. Someone must know Nyx thoroughly so whatever harmful interference that is happening can be eliminated. Tor+httpS on Quebes can also be interfered with and there seems to be no way of perfect updating security unless you control the entire networking infrastructure yourself and have your own advanced network security team.

Fasterandfaster
Posts: 35
Joined: 2023-02-06 21:55
Been thanked: 1 time

Re: Tor+http sources - Security InRelease

#4 Post by Fasterandfaster »

What's online from the past must not be the latest. Has Debian considered making tor+httpS sources? Here's what was intermittently working for me:

#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgb ... ion/debian bullseye main contrib
#deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgb ... ion/debian bullseye main

#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgb ... ion/debian bullseye-updates main contrib
#deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgb ... ion/debian bullseye-updates main

#deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjps ... n-security bullseye/updates main contrib non-free
#deb-src tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjps ... n-security bullseye/updates main contrib non-free

"In" Release - ignore?
[deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjps ... n-security InRelease bullseye main contrib
deb-src tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjps ... n-security InRelease bullseye]

Aki
Global Moderator
Global Moderator
Posts: 2823
Joined: 2014-07-20 18:12
Location: Europe
Has thanked: 69 times
Been thanked: 385 times

Re: Tor+http sources - Security InRelease

#5 Post by Aki »

Hello,
Fasterandfaster wrote: 2023-02-15 18:37 I was getting tor + http after second tries of apt update without many time outs and sometimes with complete success but now I am totally timed out and had to return to https transport.
Sometime it can happen, it could depend on many different factors, including how tor is implemented.
Fasterandfaster wrote: 2023-02-15 18:37 There is also the gpg signing issue for security sources which if you ignore would be accepting a vulnerability in your security
There's something wrong in your configuration: in the tests I performed there's no occurrence of gpg signing errors with tor transport for apt. Please, check your configuration.
Fasterandfaster wrote: 2023-02-15 18:37 Someone must know Nyx thoroughly so whatever harmful interference that is happening can be eliminated.
Why the nyx program should help in preventing it ? Please, explain it to me from the technical point of view.
Fasterandfaster wrote: 2023-02-15 18:37 Tor+httpS [..] can also be interfered with and there seems to be no way of perfect updating security unless you control the entire networking infrastructure yourself and have your own advanced network security team.
If you don't trust in the tor's level of security, why are trying to use it ?
Has Debian considered making tor+httpS sources?
Yes. By the way, why do you type https as httpS ?

Please, use the code tag to enclose logs, configurations or code; for example:

Code: Select all

example
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀

Fasterandfaster
Posts: 35
Joined: 2023-02-06 21:55
Been thanked: 1 time

Re: Tor+http sources - Security InRelease

#6 Post by Fasterandfaster »

I verified the iso but found this error message in sources:
# deb cdrom:[Debian GNU/Linux 11.6.0 _Bullseye_ - Official amd64 DVD Binary-1 20221217-10:40]/ bullseye contrib main
# deb cdrom:[Debian GNU/Linux 11.6.0 _Bullseye_ - Official amd64 DVD Binary-1 20221217-10:40]/ bullseye contrib main
# Line commented out by installer because it failed to verify:
#deb https://security.debian.org/debian-security bullseye-security main contrib
# Line commented out by installer because it failed to verify:
#deb-src https://security.debian.org/debian-security bullseye-security main contrib
Why did that happen?
No, I do not capitalize the S in https. It's just to highlight the difference. Someone likes to http inject me with ssl strip or something like that in or out of tor.
I am not trying to make people doubt the security of tor. I am just reporting what I have witnessed. It is not a perfect system. The circuits can be manipulated and ssl striping and anomalies occur even with tor circuits. Yes, I would like to know ironclad methods of implementing tor. I follow directions to the best of my abilities and verify. Often, it is not so easy as the map is not isomorphic to the contingencies of the terrain.

User avatar
cds60601
df -h | participant
df -h | participant
Posts: 706
Joined: 2017-11-25 05:58
Location: Florida
Has thanked: 129 times
Been thanked: 60 times

Re: Tor+http sources - Security InRelease

#7 Post by cds60601 »

# deb cdrom:[Debian GNU/Linux 11.6.0 _Bullseye_ - Official amd64 DVD Binary-1 20221217-10:40]/ bullseye contrib main
# deb cdrom:[Debian GNU/Linux 11.6.0 _Bullseye_ - Official amd64 DVD Binary-1 20221217-10:40]/ bullseye contrib main
# Line commented out by installer because it failed to verify:

The above failed because the Debian installer appears to looking to see if the install is based on an actual CD Rom.

#deb https://security.debian.org/debian-security bullseye-security main contrib
# Line commented out by installer because it failed to verify:
#deb-src https://security.debian.org/debian-security bullseye-security main contrib

This above here, most likely due to no internet access, just guessing.
Further reading: https://wiki.debian.org/SourcesList
Supercalifragilisticexpialidocious

Fasterandfaster
Posts: 35
Joined: 2023-02-06 21:55
Been thanked: 1 time

Re: Tor+http sources - Security InRelease

#8 Post by Fasterandfaster »

So there is some gpg signature I need to get? How should I now, post-install? TAILS installs with rfkill or disabling networking, so I thought that installing offline is more secure but then the OS can't retrieve gpg signatures?

Fasterandfaster
Posts: 35
Joined: 2023-02-06 21:55
Been thanked: 1 time

Re: Tor+http sources - Security InRelease

#9 Post by Fasterandfaster »

Whonix has all the answers. Just use whonix or qubes. There is really no point in providing Debian onion sources if the user requires security, that is, defending against an active attacker.

I would not now recommend using tor+http Debian sources without implementing Whonix uwt, and then you might as well just use Whonix if you have modern hardware.

“One of the main reasons for the inception of the Whonix ™ was that finding, developing and applying torification instructions is so difficult and one never really knows if it is 100% free of leaks. Even seriously reviewed torification instructions for one application would only apply to the very version which was being reviewed. Not to future versions of the application.”

(wsyd.onion/wiki/Stream_Isolation)
https://gitlab.torproject.org/legacy/tr ... orifyHOWTO
for Nyx instructions --→ wsyd.onion/wiki/Tor_Controller

Aki
Global Moderator
Global Moderator
Posts: 2823
Joined: 2014-07-20 18:12
Location: Europe
Has thanked: 69 times
Been thanked: 385 times

Re: Tor+http sources - Security InRelease

#10 Post by Aki »

Fasterandfaster wrote: 2023-02-24 15:20 [..] There is really no point in providing Debian onion sources if the user requires security, that is, defending against an active attacker. [..]
Beware that accessing internet by Tor protocol does not improve user's security whatever Linux distribution a user could install. Tor protocol does not protect you from the "attackers" you are talking about. Yours is a big misconception.

Please stay on topic: this thread is about tor, not about security.
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀

Fasterandfaster
Posts: 35
Joined: 2023-02-06 21:55
Been thanked: 1 time

Re: Tor+http sources - Security InRelease

#11 Post by Fasterandfaster »

Prove it is a misconception. Produce the evidence. TAILS, Qubes, Whonix all update over tor.

Post Reply