HOWTO: get all your Debian packages via Tor Onion Services


(The Guardian Project) #1

Originally published at: https://guardianproject.info/2016/07/31/howto-get-all-your-debian-packages-via-tor-onion-services/
Following up on some privacy leaks that we looked into a while back, there are now official Debian Tor Onion Services for getting software packages and security updates. This is important for high risk use cases like TAILS covers, but also it is useful to make it more difficult to do some kinds of targeted attacks against high-security servers. The default Debian and Ubuntu package servers use plain HTTP with unencrypted connections. That means anyone with access to the network streams could both monitor and fingerprint traffic. When an request for a security update is spotted, an attacker knows that machine is vulnerable to an exploit, and could reliably exploit it before the security update is applied.

Using HTTPS to get security updates improves this situation a lot, but by measuring the size of data transfers, it is still possible to track which files are being downloaded. A Tor Onion Service provides end-to-end encryption like the HTTPS connection. It also mixes up the traffic with lots of other traffic, so its not easy to see what traffic goes together. That makes it a lot harder for a network observer to tell when a security update is being downloaded. Additionally, using a Tor Onion Service forces the traffic over Tor, so that the Debian mirror server cannot see which server is requesting the updates. That helps prevent targeted attacks.

There are other benefits as well, besides just for the person running the high security server in this example, especially if all of the traffic is coming over Tor. When updates are delivered over Tor, then that means the Debian mirror operators have less to worry about because they are handling less metadata that might have privacy concerns. It means that when law enforcement requests logs from the mirror operators, the mirror operators can more easily hand over anything they have since the mirror operator knows that there is not private information in the logs. Reducing the legal risks and privacy concerns makes it easier to run mirrors, and that helps internet services work better.

How can you set up your Debian machine to get updates over Tor?

Right now, the best way to set up a Debian machine to force traffic over Tor is to use transparent proxying via iptables rules. If you have that setup, then you can add the onion addresses as Debian apt sources as if they are any other HTTP Debian mirror. Another option is to install apt-transport-tor like TAILS does, then you can use special syntax to add the Tor Onion Services. And another way is to install an HTTP proxy like privoxy and enable apt HTTP proxy support as I described before. The apt-transport-tor and privoxy approaches both have the downside of having to trust an added piece of software, whereas the transparent proxy technique uses what is already present in the Linux kernel. I’ve been using the privoxy method since that is what I got working in 2014 and it has been working reliably on multiple servers since then. Also, I need privoxy installed for another application anyway.

Here’s how to set up the apt sources to get packages and updates via Tor Onion Services without delaying security updates. First, remove /etc/apt/sources.list and /etc/apt/sources.list.d/*.list to start with a clean slate. Next add /etc/apt/sources.list.d/00.vwakviie2ienjx6t.onion.list to get the main Debian repositories:


deb http://vwakviie2ienjx6t.onion/debian/ jessie main
deb-src http://vwakviie2ienjx6t.onion/debian/ jessie main

aka volatile

deb http://vwakviie2ienjx6t.onion/debian/ jessie-updates main
deb-src http://vwakviie2ienjx6t.onion/debian/ jessie-updates main

deb http://vwakviie2ienjx6t.onion/debian jessie-backports main
deb-src http://vwakviie2ienjx6t.onion/debian/ jessie-backports main

Next add the new Tor Onion Service for the security update repository at /etc/apt/sources.list.d/00.sgvtcaew4bxjd7ln.onion.list:


deb http://sgvtcaew4bxjd7ln.onion/ jessie/updates main

Then last, include the normal HTTP security.debian.org archive to ensure that your server gets the latest security updates, even if the Onion Service mirror is behind or there is some other issue related to Tor. This goes in /etc/apt/sources.list.d/99.security.debian.org.list to ensure that it is always the last repository that is tried, and apt loads files from /etc/apt/source.list.d/ in alphabetical order, so it’ll always try to get the security updates from the Onion Service before falling back to the HTTP source as a last resort.


deb http://security.debian.org/ jessie/updates main

I also run an unofficial mirror of the security updates on http://dju2peblv7upfz3q.onion/debian if you want to add another backup, i.e. /etc/apt/sources.list.d/00.dju2peblv7upfz3q.onion.list:


deb http://dju2peblv7upfz3q.onion/debian-security/ jessie/updates main


#2

Thanks for the hint on using onion sites to run apt against. I changed the setup but get the following - what does this really mean; something wrong or something to worry about?

W: GPG error: http://dju2peblv7upfz3q.onion jessie/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
W: GPG error: http://vwakviie2ienjx6t.onion jessie-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: GPG error: http://vwakviie2ienjx6t.onion jessie-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: GPG error: http://sgvtcaew4bxjd7ln.onion jessie/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
W: GPG error: http://vwakviie2ienjx6t.onion jessie Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY CBF8D6FD518E17E1
W: GPG error: http://security.debian.org jessie/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
W: Failed to fetch http://dju2peblv7upfz3q.onion/debian-security/dists/jessie/updates/main/binary-armhf/Packages  404  Not Found [IP: 10.238.210.114 80]