onion services: add v3 manual from wiki (fixes #24880)
traumschule

traumschule commited on 2018-08-19 23:25:31
Zeige 1 geänderte Dateien mit 112 Einfügungen und 12 Löschungen.

... ...
@@ -134,8 +134,9 @@
134 134
 	<pre> HiddenServiceDir C:\Users\username\Documents\tor\hidden_service
135 135
 	HiddenServicePort 80 127.0.0.1:8080 </pre>
136 136
 
137
-    <p>Note that since 0.2.6, both <var>SocksPort</var> and <var>HiddenServicePort</var> support Unix sockets. 
138
-    This means that you can point the <var>HiddenServicePort</var> to a Unix socket:</p>
137
+    <p>Note that since 0.2.6, both <var>SocksPort</var> and <var>HiddenServicePort</var>
138
+    support Unix sockets. This means that you can point the <var>HiddenServicePort</var>
139
+    to a Unix socket:</p>
139 140
     <pre>
140 141
     HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
141 142
     HiddenServicePort 80 unix:/path/to/socket
... ...
@@ -199,8 +200,8 @@
199 200
     service, just add more <var>HiddenServicePort</var> lines.
200 201
     If you want to run multiple onion services from the same Tor
201 202
     client, just add another <var>HiddenServiceDir</var> line. All the following
202
-    <var>HiddenServicePort</var> lines refer to this <var>HiddenServiceDir</var> line, until
203
-    you add another <var>HiddenServiceDir</var> line:
203
+    <var>HiddenServicePort</var> lines refer to this <var>HiddenServiceDir</var>
204
+    line, until you add another <var>HiddenServiceDir</var> line:
204 205
     </p>
205 206
 
206 207
     <pre>
... ...
@@ -212,13 +213,13 @@
212 213
     HiddenServicePort 22 127.0.0.1:22
213 214
     </pre>
214 215
 
215
-    <p>Onion services operators need to practice proper operational security
216
-    and system administration to maintain security. For some security
217
-    suggestions please make sure you read over Riseup's <a
218
-	href="https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices">"Tor
219
-	Hidden (Onion) Services Best Practices" document</a>. Also, here are some
220
-	more anonymity issues you should keep in mind:
221
-
216
+    <p>Onion services operators need to practice proper
217
+    <a href="https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity">
218
+    operational security</a> and system administration to maintain security.
219
+    For some security suggestions please make sure you read over Riseup's
220
+    <a href="https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices">
221
+    "Tor Hidden (Onion) Services Best Practices" document</a>.
222
+    Also, here are some more anonymity issues you should keep in mind:
222 223
     </p>
223 224
     <ul>
224 225
     <li>As mentioned above, be careful of letting your web server reveal
... ...
@@ -238,7 +239,13 @@
238 239
 
239 240
     <p>Another common issue is whether to use HTTPS on your relay or
240 241
     not. Have a look at this <a
241
-    href="https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs">post</a> on the Tor Blog to learn more about these issues.
242
+    href="https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs">post</a>
243
+    on the Tor Blog to learn more about these issues.
244
+    </p>
245
+
246
+    <p>You can use <a href="https://stem.torproject.org">stem</a> to
247
+    <a href="https://stem.torproject.org/tutorials/over_the_river.html">
248
+    automate the management of your onion services</a>.
242 249
     </p>
243 250
 
244 251
     <p>Finally, feel free to use the <a
... ...
@@ -246,6 +253,99 @@
246 253
     mailing list</a> to discuss the secure administration and operation of
247 254
     Tor onion services.</p>
248 255
 
256
+    <hr>
257
+    <a id="four"></a>
258
+    <h2><a class="anchor" href="#four">Step Four: Set up next-gen (v3) onions</a></h2>
259
+    <br>
260
+
261
+​    <p>Since Tor 0.3.2 and
262
+    <a href="https://blog.torproject.org/tor-browser-75a5-released">Tor Browser
263
+    7.5.a5</a> 56 bit long v3 onion addresses are supported and should be used
264
+    instead. This newer version of onion services ("v3") features many
265
+    improvements over the legacy system:
266
+    </p>
267
+    <ul>
268
+      <li>Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)</li>
269
+      <li>Improved directory protocol, leaking much less information to directory servers.</li>
270
+      <li>Improved directory protocol, with smaller surface for targeted attacks.</li>
271
+      <li>Better onion address security against impersonation.</li>
272
+      <li>More extensible introduction/rendezvous protocol.</li>
273
+      <li>A cleaner and more modular codebase.</li>
274
+    </ul>
275
+    <p>For details see
276
+    <a href="https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames">
277
+    Why are v3 onions better?</a>. You can identify a next-generation onion
278
+    address by its length: they are 56 characters long, as in
279
+    <var>4acth47i6kxnvkewtm6q7ib2s3ufpo5sqbsnzjpbi7utijcltosqemad.onion</a>.
280
+    
281
+    The specification for next gen onion services can be found
282
+    <a href="https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt">
283
+    here</a>.
284
+    </p>
285
+
286
+    <h3>How to setup your own prop224 service</h3>
287
+
288
+    <p>It's easy! Just use your ​<a href"#two">regular onion service</a> torrc
289
+    and add <var>HiddenServiceVersion 3</var> in your onion service torrc block.
290
+    Here is an example torrc designed for testing:
291
+    </p>
292
+    <pre>
293
+SocksPort auto
294
+
295
+HiddenServiceDir /home/user/tmp/hsv3
296
+HiddenServiceVersion 3
297
+HiddenServicePort 6667 127.0.0.1:6667
298
+    </pre>
299
+    <p>Then your onion address is in <var>/home/user/tmp/hsv3/hostname</var>.
300
+    To host both a v2 and a v3 service using two onion service torrc blocks:
301
+    </p>
302
+    <pre>
303
+HiddenServiceDir /home/user/tmp/hsv2
304
+HiddenServicePort 6667 127.0.0.1:6667
305
+
306
+HiddenServiceDir /home/user/tmp/hsv3
307
+HiddenServiceVersion 3
308
+HiddenServicePort 6668 127.0.0.1:6667
309
+    </pre>
310
+
311
+    <p>Please note that tor is strict about directory permissions and does not
312
+    like to share its files. Make sure to restrict read and write access to the
313
+    onion services directory before restarting tor. For most linux based systems you can use:
314
+    </p>
315
+    <pre>chmod 700 -R /var/lib/tor</pre>
316
+
317
+    <p>To restart tor it's safer to not use SIGHUP directly (see bug
318
+    <a href="https://trac.torproject.org/projects/tor/ticket/21818">#21818</a>),
319
+    but to check the validity of the config first. On Debian based systems the
320
+    services management tool does this for you:</p>
321
+    <pre>
322
+    service tor restart
323
+    </pre>
324
+
325
+    <h3>How to help the next-gen onion development</h3>
326
+
327
+    <p>Please let us know if you find any bugs!
328
+    We are still in testing & development stage so things are very liquid and
329
+    in active development. If you want to help with development, check out the list of
330
+    <a href="https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~prop224&order=priority">
331
+    open prop224 bugs</a>.
332
+    </p>
333
+
334
+    <p>For researchers our wiki page
335
+    <a href="https://trac.torproject.org/projects/tor/wiki/doc/OnionServiceNamingSystems">
336
+    Onion Service Naming Systems</a> could be of value. If you are more of the bug
337
+    hunting type, please check our code and spec for errors and inaccuracies.
338
+    We would be thrilled to know about them!
339
+    </p>
340
+
341
+    <p>For debugging and to send us more helpful log files, turn on info logging:
342
+    </p>
343
+    <pre>
344
+SafeLogging 0
345
+Log notice file /home/user/tmp/hs/hs.log
346
+Log info file /home/user/tmp/hs/hsinfo.log
347
+    </pre>
348
+
249 349
   </div>
250 350
   <!-- END MAINCOL -->
251 351
   <div id = "sidecol">
252 352