From eBower Wiki
Jump to: navigation, search

Overview

Enabling your Apache server for the Dark Web is surprisingly easy.

What is the Dark Web?

The Dark Web essentially means search engines don't, and usually can't, index them. But that's not my main goal for this, instead I want a better level of privacy. If I hit this site from https://www.ebower.com/wiki/Dark_Web I get an encrypted tunnel from my browser all the way through to my server, so nobody can modify content or see what I'm doing. Except they kind of can. Whoever is controlling my Internet access (my ISP, my mobile company, the guy running the public WiFi I'm connected to, etc.) can see (and intercept) my DNS request, so they know I'm hitting www.ebower.com. They can also see this in the SNI overhead of the TLS handshake. Sure, they can't see my Wiki login credentials, the content I'm browsing, or anything like that but they can see the server I'm talking to and the IP address of the server.

Tor's onionland Dark Web fixes that. When I go to http://rn6g7xhttyls7qca.onion/wiki/Dark_Web I also get an encrypted tunnel from my browser to the server. But I go through some third party IP addresses that constantly change in order to get there. And nobody even knows that I'm using the weird rn6g7xhttyls7qca hostname to get there because that request is encrypted and authenticated as well.

Realistically, in most cases this is a no-op. There's a lot of overhead and latency involved in onion routing and my page is 99% static and fairly a-political, benign content. But what if your page is not? What if you can't get an IP address from your ISP that allows ports 80 and 443 through? That's where Tor can help.

By creating a .onion site you'll generate a private key and register your name with the network. Now you get the encryption you need for security and privacy, the authentication to ensure the content is mine, and nothing leaks out.

TLS

You'll note that .onion sites rarely use TLS encryption. This may indicate that they're "insecure" depending on how you connect to them. But it could be argued that they're actually MORE secure without TLS.

First, encryption is end-to-end with both TLS and onion routing. So it's not really changing anything there. TLS offers server authentication, the certificate must be signed for the hostname you're visiting or you get a big scary message if "www.google.com" has a certificate signed for "honest-isp.com" - but .onion sites have the same sort of signing so again it's a wash.

But TLS authentication is a chain, and any weak link in the chain breaks the authentication. So if some small Certificate Authority (CA) is hacked (owned by a foreign power) they can sign certs for www.google.com without issue. And your browser may trust them. Cert pinning and other techniques can help this, but now you need to open up connections outside of Tor to get to not only the CA but also the servers that validate that the CA is the proper one - that's a lot of data you need out on the public Internet.

Certs also have a chain that leads back to you, someone knows who you registered the domain with, many cert providers have a credit card on file, the CA probably has records of your IP address(es) from downloading the certs, etc. Tor encryption and authentication bypasses that.

Browser Configuration

The easiest way to get online is the Tor Browser. This is a custom build of FireFox and runs on Windows, Linux and MacOS.

For Android, you can install Orbot to encrypt your entire connection, or modify it and use it with Orfox to just control your browsing.

For Chromebooks or Chrome on your desktop there's Kronymous which, when paired with FoxyProxy can get you onto the Tor network either entirely or just for .onion sites.

For iOS devices, you can always make a better phone choice next time... Seriously, there's probably a way to get online but that's outside the scope of this document.

Server Configuration

If you've got a server, it's a simple matter of installing Tor by running:

sudo apt-get install tor

You then need to edit /etc/tor/torrc and find the HiddenService section.

HiddenServiceDir /path/to/hidden_service/
HiddenServicePort 80 127.0.0.1:80
HiddenServicePort 443 127.0.0.1:443

You'll need to make sure to create the hidden_service directory, places like /etc/tor/hidden_service or ~/.tor/hidden_service are common. But make sure the user who runs Tor owns it.

I open up port 443, you probably don't want to. This can expose other certs on your server, so if you run www.my-legit-site.com and www.semi-legal-stuff.com via an .onion domain you may be tracked back to www.my-legit-site.com. On the other hand, I don't use Tor for anything shady so I don't mind and I may try to play with a cert if Let's Encrypt adds support.

Finally, you'll have to start Tor. There are plenty of ways to do this, but a simple cron is easiest:

@reboot sleep 30; tor -DataDirectory /path/to/working -RunAsDaemon 1

I typically just create a working directory under my hidden_service directory. This directory needs to be writable by whoever is running Tor.

Links

Now where to? Well, there are a ton of places you probably shouldn't be wandering but a few familiar faces exist.

  • eBower Wiki. Of course, I'm here.
  • Facebook. Some people scoff at using a service that tracks you via an anonymous proxy like Tor. These people don't realize that encrypting the first mile is sometimes the most important aspect of a connection to bypass corporate or national firewalls. Amusingly, Facebook's link scanner will scan a .onion link to provide a preview.
  • DuckDuckGo is a search engine that values privacy.
  • The Tor Project builds the software that powers this.