OnionV3
parent
9f416f9cdc
commit
1b956831db
@ -3,44 +3,62 @@ Up: [[Home]]
|
||||
From: https://github.com/TokTok/c-toxcore/issues/419
|
||||
|
||||
I don't think indistinguishable message bytes and sizes are going to
|
||||
make any difference when they are sent over a network of so few
|
||||
bootstrap nodes. And anyone operating in a hostile environment is
|
||||
probably already running Tox over Tor, which works well.
|
||||
make any difference when they are sent over a network of so few bootstrap nodes.
|
||||
And anyone operating in a hostile environment is probably already
|
||||
running Tox over Tor, which works well.
|
||||
|
||||
Did the reports of blocking in China include blocking over Tor? Tor itself has implemented pluggable transport mechanisms that are continuously being improved, and these include ways to make the traffic look like another protocol like HTTP or whatever: <https://snowflake.torproject.org/>
|
||||
Did the reports of blocking in China include blocking over Tor? Tor
|
||||
itself has implemented pluggable transport mechanisms that are
|
||||
continuously being improved, and these include ways to make the
|
||||
traffic look like another protocol like HTTP or whatever:
|
||||
<https://snowflake.torproject.org/>
|
||||
|
||||
So the best way to handle this may be to improve the documentation in Tox of how to use Tor, and how to configure Tor to use pluggable transports. They are the only things that work in e.g. Egypt or Iran.
|
||||
So the best way to handle this may be to improve the documentation in
|
||||
Tox of how to use Tor, and how to configure Tor to use pluggable transports (obfs4).
|
||||
Whether or not you trust Tor (you can't trust Exit nodes 40% of the time)
|
||||
they are the only things that work right now in e.g. Egypt or Iran.
|
||||
|
||||
I also think the other way of getting a lot of resilience "cheaply" is
|
||||
to encourage bootstrap node operators to also run a Tor node to serve
|
||||
the BS over Onionv3. This is the only way I can see dealing with the
|
||||
fact that Tox is a network of so few bootstrap nodes. If the Tox
|
||||
codebase was improved to work with Onionv3 BS nodes, and OnionV3
|
||||
relays, it would be much more resilient.
|
||||
I also think the only way of getting a lot of resilience "cheaply" is
|
||||
to encourage bootstrap node operators to also run a Tor client to serve
|
||||
the BS node over Onionv3. This is the only way I can see dealing with the
|
||||
fact that Tox is a network of so few bootstrap nodes. If the Tox nodebase was
|
||||
improved to serve BS nodes, and OnionV3 relays, it would be much more resilient.
|
||||
I'm assuming the adversaries cannot block .onion addresses within Tor.
|
||||
|
||||
There is a way of configuring Tor to uniquely assign a
|
||||
There is a way of configuring a Tor client to uniquely assign a
|
||||
life-of-the-tor-instance IPv4 address from a predefined private range
|
||||
(VirtualAddrNetwork) to each onion address it sees:
|
||||
AutomapHostsOnResolve. So Tox could use OnionV3 BS nodes in a
|
||||
properly configured Tor with just some properly configured BS hosts
|
||||
lists (if enough BS nodes provided OnionV3 addresses), Then we could
|
||||
leave the heavy lifting of the cat-and-mouse games of pluggable
|
||||
transports etc. to Tor (or i2p), and not try to chase them ourselves.
|
||||
(VirtualAddrNetworkIPv4) to each onion address it sees:
|
||||
```AutomapHostsOnResolve 1```. So Tox could use OnionV3 BS nodes in a
|
||||
properly configured Tor with just some properly configured BS hosts lists
|
||||
(if enough BS nodes provided OnionV3 addresses). Then we could leave
|
||||
the heavy lifting of the cat-and-mouse games of pluggable transports etc.
|
||||
to Tor (or i2p), and not try to chase them ourselves.
|
||||
|
||||
To even try out this approach I think you need to fix the
|
||||
[open-for-five-years-and-counting](https://github.com/TokTok/c-toxcore/issues/469)
|
||||
issue of not resolving the IP address of the targets when you are in
|
||||
front of a SOCKS5 proxy (Tor). But maybe there's another way: you
|
||||
could contact each of the OnionV3 BS nodes outside of Tox and get the
|
||||
IPv4 address of each Onion BS node, for-life-of-the-tor-instance
|
||||
which is usually long enough, in Python using the Tor stem library.
|
||||
Then you could use these IPv4 addresses as your BS nodes, as long as
|
||||
your client didn't suffer from the dreaded deranged-hard-coded-bs syndrome.
|
||||
If you have such a list of onion addresses, the Tor user, who is running
|
||||
a Tor instance anyway to connect with the Tox client, adds this to the
|
||||
```/etc/tor/torrc```
|
||||
```
|
||||
VirtualAddrNetworkIPv4 172.16.0.0/12
|
||||
AutomapHostsOnResolve 1
|
||||
```
|
||||
Then with the list of onion addresses for BS nodes that are running Tox as OnionV3,
|
||||
then you can use ```tor-resolve``` or ```tor-resolve -4``` to get the
|
||||
good-for-you-only IP addresses of OnionV3 BS nodes in IPv4. So the Tox user
|
||||
does this and puts these addresses into his ```DHTnodes.json``` and boostraps his
|
||||
Tox client over Tor Onions. This works with libtoxcore is it is today, as long as
|
||||
your client doesn't suffer from the dreaded deranged-hard-coded-bs syndrome.
|
||||
|
||||
I've tried this but it's currently impossible to test as there is no
|
||||
equivalent to the ```other/fun/bootstrap_node_info.py``` script for
|
||||
TCP connections. For UDP you can send a packet of len 78 with the
|
||||
magic first bytes and get a version and MOTD reply. Not so for TCP (
|
||||
These steps would be automated by a simple bash or Python script,
|
||||
perhaps a Python script wrapped into an exe for Windows. These addresses are
|
||||
good for life of the Tor instance, and the script would need rerunning when Tor
|
||||
is restarted. You can also get the IPv4 address of each Onion BS node,
|
||||
(for-life-of-the-tor-instance which is usually long enough)
|
||||
in Python using the Tor stem library.
|
||||
|
||||
I've tried this but it's currently impossible to test as there is no equivalent
|
||||
to the ```other/fun/bootstrap_node_info.py``` script for TCP connections.
|
||||
For UDP you can send a packet of len 78 with the magic first bytes and get a
|
||||
version and MOTD reply. Not so for TCP (
|
||||
in fact if you do send such a packet to the TCP it send the BS node into an
|
||||
[infinite loop for which it neverrecovers](https://github.com/TokTok/c-toxcore/issues/2332)).
|
||||
So we need a simple fix to the TCP_server code to at least look for a
|
||||
@ -48,12 +66,12 @@ special packet like this and be nice and send a simple nice reply like
|
||||
the UDP case. Raised as https://github.com/TokTok/c-toxcore/issues/2331
|
||||
|
||||
We should not kid ourselves that we don't all live in China or Iran -
|
||||
the planet is in a loc$down and I think we might quickly find out just
|
||||
how much resiliance we need. s/China/Iran/Syria/Russia/
|
||||
the planet is in a loc$down, and I think we might quickly find out just
|
||||
how much resiliance we need. s/China/Iran/Syria/Russia/GDR
|
||||
|
||||
* https://www.themoscowtimes.com/2021/12/07/why-the-kremlin-blocking-tor-is-a-big-deal-a75751
|
||||
* https://www.wired.com/story/russia-block-tor-censorship/
|
||||
* https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook
|
||||
|
||||
* https://www.lifesitenews.com/news/biden-executive-order-allows-spying-on-americans-to-assess-political-instability-climate-threats/
|
||||
|
||||
Up: [[DDosSmallNumberOfBSNodes]]
|
||||
|
@ -59,3 +59,10 @@ WhatsApp which relay on centralized servers.
|
||||
### WhatsApp
|
||||
|
||||
* https://www.sott.net/article/472864-Telegram-CEO-issues-warning-about-WhatsApp-security
|
||||
|
||||
## Signal
|
||||
|
||||
[Signal](https://dt.gl/the-2021-review-of-messaging-service-providers-movim/)
|
||||
not only uses Amazon Web Services servers but also Microsoft and Google servers,
|
||||
and now to make things even more toxic they are also using
|
||||
[Cloudflare](https://dt.gl/cloudflare-why-the-fuss/) which makes in unusable with Tor.
|
Loading…
Reference in New Issue
Block a user