Repositories and Tor

I was able to get the repositories working over Tor, however by default it was using the regular and unencrypted repositories which was unexpected. I thought it would be using the onion repositories by default but it was not. I had to manually add these myself and I got it working just fine.

$ sudo nano /etc/apt/sources.list

deb tor://vwakviie2ienjx6t.onion/debian testing main contrib non-free
deb-src tor://vwakviie2ienjx6t.onion/debian testing main contrib non-free

deb tor://vwakviie2ienjx6t.onion/debian testing-updates main contrib non-free
deb-src tor://vwakviie2ienjx6t.onion/debian testing-updates main contrib non-free

deb tor://sgvtcaew4bxjd7ln.onion/debian-security testing/updates main contrib non-free
deb-src tor://sgvtcaew4bxjd7ln.onion/debian-security testing/updates main contrib non-free

$ sudo nano /etc/apt/sources.list.d/freedombox2.list

deb tor://vwakviie2ienjx6t.onion/debian buster-backports main
deb-src tor://vwakviie2ienjx6t.onion/debian buster-backports main

$ sudo apt update
$ sudo apt upgrade
$ sudo apt dist-upgrade --auto-remove --purge

After adding the onion repositories, I was able to update everything without any issues. I would suggest adding the onion repositories by default as it will provide end-to-end encryption over Tor.

2 Likes

Thanks for the contribution.

We have something similar implemented. As soon as the Tor application is installed using FreedomBox interface, the option to ‘download software using Tor’ is enabled by default. This will ensure that all repositories URLs are updated from http:// to tor+http://. This will ensure that all software installations and upgrades use the Tor network. Has this not happened in your case? Do you wish for the Tor application to be installed by default?

I know, that has happened by default. But it’s using tor+http:// by default and not the onion repositories as I added for example in my post. Those onion repositories are available at SourcesList. The onion services provide end-to-end encryption through Tor, http:// is unencrypted. The least you could do is use tor+https:// but you’re better off using the onion services.

There are some challenges implementing this. I opened an issue on the issue tracker: https://salsa.debian.org/freedombox-team/plinth/issues/1596 . Consider contributing there.

When you say http:// is unencrypted, you mean that it is encrypted till the exit node and from there it is unencrypted, right? Because the gains to anonymity and security are only minor (compared to the primary feature) by encrypting after that.

1 Like

Okay, thanks. Yes, that’s what I meant. It is unencrypted only once it reaches the exit node. I’d rather the exit node didn’t see anything at all regardless, including metadata.