Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Tor+http sources - Security InRelease
-
- Posts: 35
- Joined: 2023-02-06 21:55
- Been thanked: 1 time
Tor+http sources - Security InRelease
Does anyone know what is happening to the tor+http Security sources?
I get error messages saying that
5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye/updates
is not gpg signed making it InRelease and therefore cannot be updated safely.
Also, I constantly get "timed out" error messages but sometimes if I change circuits enough, this error does not occur.
What is interfering with tor and how do I secure it. I have md5sum and sha256 verified tor transports and tried reinstalling. Getting the transport through apt produced the same inconsistent downloading and error messages.
I get error messages saying that
5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye/updates
is not gpg signed making it InRelease and therefore cannot be updated safely.
Also, I constantly get "timed out" error messages but sometimes if I change circuits enough, this error does not occur.
What is interfering with tor and how do I secure it. I have md5sum and sha256 verified tor transports and tried reinstalling. Getting the transport through apt produced the same inconsistent downloading and error messages.
-
- Global Moderator
- Posts: 3067
- Joined: 2014-07-20 18:12
- Location: Europe
- Has thanked: 76 times
- Been thanked: 415 times
Re: Tor+http sources - Security InRelease
Hello,
It's an interesting topic. Debian has been providing tor/onion services for several years [1]. Here is [2] the "Bits from Debian" press release with a detailed description and instructions from 2016.
I'm not a tor expert, but your post was an opportunity to perform a test and to configure a Debian Bookworm to access these services.
I installed the apt-transport-tor package and the required dependencies. Then I configured the /etc/apt/sources.list according to addresses listed in [1]:
Then, I updated the local repository and upgraded the installation without big issues. The connection was slow at the beginning of the update (I got one time out error), but after a while I suppose the tor circuits where more stable and I was able to upgrade 151 packages in my Debian Bookworm using onion debian repositories without any major issue.
Hope that helps.
---
[1] https://onion.debian.org/
[2] https://bits.debian.org/2016/08/debian- ... vices.html
It's an interesting topic. Debian has been providing tor/onion services for several years [1]. Here is [2] the "Bits from Debian" press release with a detailed description and instructions from 2016.
I'm not a tor expert, but your post was an opportunity to perform a test and to configure a Debian Bookworm to access these services.
I installed the apt-transport-tor package and the required dependencies. Then I configured the /etc/apt/sources.list according to addresses listed in [1]:
Code: Select all
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bookworm-security main
Hope that helps.
---
[1] https://onion.debian.org/
[2] https://bits.debian.org/2016/08/debian- ... vices.html
-
- Posts: 35
- Joined: 2023-02-06 21:55
- Been thanked: 1 time
Re: Tor+http sources - Security InRelease
Thanks for that reply. I may try Bookworm. The latest edition is more innovative but stable is more reliable/secure, is that the way to look at it? I will mention that there is something that interferes with tor on multiple OSes, devices, and access points/ISPs. I was getting tor + http after second tries of apt update without many time outs and sometimes with complete success but now I am totally timed out and had to return to https transport. There is also the gpg signing issue for security sources which if you ignore would be accepting a vulnerability in your security, which doesn't sound like a good option to take to me. Someone must know Nyx thoroughly so whatever harmful interference that is happening can be eliminated. Tor+httpS on Quebes can also be interfered with and there seems to be no way of perfect updating security unless you control the entire networking infrastructure yourself and have your own advanced network security team.
-
- Posts: 35
- Joined: 2023-02-06 21:55
- Been thanked: 1 time
Re: Tor+http sources - Security InRelease
What's online from the past must not be the latest. Has Debian considered making tor+httpS sources? Here's what was intermittently working for me:
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgb ... ion/debian bullseye main contrib
#deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgb ... ion/debian bullseye main
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgb ... ion/debian bullseye-updates main contrib
#deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgb ... ion/debian bullseye-updates main
#deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjps ... n-security bullseye/updates main contrib non-free
#deb-src tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjps ... n-security bullseye/updates main contrib non-free
"In" Release - ignore?
[deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjps ... n-security InRelease bullseye main contrib
deb-src tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjps ... n-security InRelease bullseye]
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgb ... ion/debian bullseye main contrib
#deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgb ... ion/debian bullseye main
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgb ... ion/debian bullseye-updates main contrib
#deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgb ... ion/debian bullseye-updates main
#deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjps ... n-security bullseye/updates main contrib non-free
#deb-src tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjps ... n-security bullseye/updates main contrib non-free
"In" Release - ignore?
[deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjps ... n-security InRelease bullseye main contrib
deb-src tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjps ... n-security InRelease bullseye]
-
- Global Moderator
- Posts: 3067
- Joined: 2014-07-20 18:12
- Location: Europe
- Has thanked: 76 times
- Been thanked: 415 times
Re: Tor+http sources - Security InRelease
Hello,
Please, use the code tag to enclose logs, configurations or code; for example:
Sometime it can happen, it could depend on many different factors, including how tor is implemented.Fasterandfaster wrote: ↑2023-02-15 18:37 I was getting tor + http after second tries of apt update without many time outs and sometimes with complete success but now I am totally timed out and had to return to https transport.
There's something wrong in your configuration: in the tests I performed there's no occurrence of gpg signing errors with tor transport for apt. Please, check your configuration.Fasterandfaster wrote: ↑2023-02-15 18:37 There is also the gpg signing issue for security sources which if you ignore would be accepting a vulnerability in your security
Why the nyx program should help in preventing it ? Please, explain it to me from the technical point of view.Fasterandfaster wrote: ↑2023-02-15 18:37 Someone must know Nyx thoroughly so whatever harmful interference that is happening can be eliminated.
If you don't trust in the tor's level of security, why are trying to use it ?Fasterandfaster wrote: ↑2023-02-15 18:37 Tor+httpS [..] can also be interfered with and there seems to be no way of perfect updating security unless you control the entire networking infrastructure yourself and have your own advanced network security team.
Yes. By the way, why do you type https as httpS ?Has Debian considered making tor+httpS sources?
Please, use the code tag to enclose logs, configurations or code; for example:
Code: Select all
example
-
- Posts: 35
- Joined: 2023-02-06 21:55
- Been thanked: 1 time
Re: Tor+http sources - Security InRelease
I verified the iso but found this error message in sources:
# deb cdrom:[Debian GNU/Linux 11.6.0 _Bullseye_ - Official amd64 DVD Binary-1 20221217-10:40]/ bullseye contrib main
# deb cdrom:[Debian GNU/Linux 11.6.0 _Bullseye_ - Official amd64 DVD Binary-1 20221217-10:40]/ bullseye contrib main
# Line commented out by installer because it failed to verify:
#deb https://security.debian.org/debian-security bullseye-security main contrib
# Line commented out by installer because it failed to verify:
#deb-src https://security.debian.org/debian-security bullseye-security main contrib
Why did that happen?
No, I do not capitalize the S in https. It's just to highlight the difference. Someone likes to http inject me with ssl strip or something like that in or out of tor.
I am not trying to make people doubt the security of tor. I am just reporting what I have witnessed. It is not a perfect system. The circuits can be manipulated and ssl striping and anomalies occur even with tor circuits. Yes, I would like to know ironclad methods of implementing tor. I follow directions to the best of my abilities and verify. Often, it is not so easy as the map is not isomorphic to the contingencies of the terrain.
# deb cdrom:[Debian GNU/Linux 11.6.0 _Bullseye_ - Official amd64 DVD Binary-1 20221217-10:40]/ bullseye contrib main
# deb cdrom:[Debian GNU/Linux 11.6.0 _Bullseye_ - Official amd64 DVD Binary-1 20221217-10:40]/ bullseye contrib main
# Line commented out by installer because it failed to verify:
#deb https://security.debian.org/debian-security bullseye-security main contrib
# Line commented out by installer because it failed to verify:
#deb-src https://security.debian.org/debian-security bullseye-security main contrib
Why did that happen?
No, I do not capitalize the S in https. It's just to highlight the difference. Someone likes to http inject me with ssl strip or something like that in or out of tor.
I am not trying to make people doubt the security of tor. I am just reporting what I have witnessed. It is not a perfect system. The circuits can be manipulated and ssl striping and anomalies occur even with tor circuits. Yes, I would like to know ironclad methods of implementing tor. I follow directions to the best of my abilities and verify. Often, it is not so easy as the map is not isomorphic to the contingencies of the terrain.
- cds60601
- df -h | participant
- Posts: 749
- Joined: 2017-11-25 05:58
- Location: Florida
- Has thanked: 138 times
- Been thanked: 70 times
Re: Tor+http sources - Security InRelease
# deb cdrom:[Debian GNU/Linux 11.6.0 _Bullseye_ - Official amd64 DVD Binary-1 20221217-10:40]/ bullseye contrib main
# deb cdrom:[Debian GNU/Linux 11.6.0 _Bullseye_ - Official amd64 DVD Binary-1 20221217-10:40]/ bullseye contrib main
# Line commented out by installer because it failed to verify:
The above failed because the Debian installer appears to looking to see if the install is based on an actual CD Rom.
#deb https://security.debian.org/debian-security bullseye-security main contrib
# Line commented out by installer because it failed to verify:
#deb-src https://security.debian.org/debian-security bullseye-security main contrib
This above here, most likely due to no internet access, just guessing.
Further reading: https://wiki.debian.org/SourcesList
# deb cdrom:[Debian GNU/Linux 11.6.0 _Bullseye_ - Official amd64 DVD Binary-1 20221217-10:40]/ bullseye contrib main
# Line commented out by installer because it failed to verify:
The above failed because the Debian installer appears to looking to see if the install is based on an actual CD Rom.
#deb https://security.debian.org/debian-security bullseye-security main contrib
# Line commented out by installer because it failed to verify:
#deb-src https://security.debian.org/debian-security bullseye-security main contrib
This above here, most likely due to no internet access, just guessing.
Further reading: https://wiki.debian.org/SourcesList
Supercalifragilisticexpialidocious
-
- Posts: 35
- Joined: 2023-02-06 21:55
- Been thanked: 1 time
Re: Tor+http sources - Security InRelease
So there is some gpg signature I need to get? How should I now, post-install? TAILS installs with rfkill or disabling networking, so I thought that installing offline is more secure but then the OS can't retrieve gpg signatures?
-
- Posts: 35
- Joined: 2023-02-06 21:55
- Been thanked: 1 time
Re: Tor+http sources - Security InRelease
Whonix has all the answers. Just use whonix or qubes. There is really no point in providing Debian onion sources if the user requires security, that is, defending against an active attacker.
I would not now recommend using tor+http Debian sources without implementing Whonix uwt, and then you might as well just use Whonix if you have modern hardware.
“One of the main reasons for the inception of the Whonix ™ was that finding, developing and applying torification instructions is so difficult and one never really knows if it is 100% free of leaks. Even seriously reviewed torification instructions for one application would only apply to the very version which was being reviewed. Not to future versions of the application.”
(wsyd.onion/wiki/Stream_Isolation)
https://gitlab.torproject.org/legacy/tr ... orifyHOWTO
for Nyx instructions --→ wsyd.onion/wiki/Tor_Controller
I would not now recommend using tor+http Debian sources without implementing Whonix uwt, and then you might as well just use Whonix if you have modern hardware.
“One of the main reasons for the inception of the Whonix ™ was that finding, developing and applying torification instructions is so difficult and one never really knows if it is 100% free of leaks. Even seriously reviewed torification instructions for one application would only apply to the very version which was being reviewed. Not to future versions of the application.”
(wsyd.onion/wiki/Stream_Isolation)
https://gitlab.torproject.org/legacy/tr ... orifyHOWTO
for Nyx instructions --→ wsyd.onion/wiki/Tor_Controller
-
- Global Moderator
- Posts: 3067
- Joined: 2014-07-20 18:12
- Location: Europe
- Has thanked: 76 times
- Been thanked: 415 times
Re: Tor+http sources - Security InRelease
Beware that accessing internet by Tor protocol does not improve user's security whatever Linux distribution a user could install. Tor protocol does not protect you from the "attackers" you are talking about. Yours is a big misconception.Fasterandfaster wrote: ↑2023-02-24 15:20 [..] There is really no point in providing Debian onion sources if the user requires security, that is, defending against an active attacker. [..]
Please stay on topic: this thread is about tor, not about security.
-
- Posts: 35
- Joined: 2023-02-06 21:55
- Been thanked: 1 time
Re: Tor+http sources - Security InRelease
Prove it is a misconception. Produce the evidence. TAILS, Qubes, Whonix all update over tor.