[tor-commits] [community/staging] Onion Services section
commit 5d08c4a0fe3b202659c1b79d171de2c91a6e6a82 Author: Pili Guerra Date: Fri Jun 7 13:28:35 2019 +0200 Onion Services section --- .../overview/tor-onion-services-1.png | Bin 0 -> 17222 bytes .../overview/tor-onion-services-2.png | Bin 0 -> 19207 bytes .../overview/tor-onion-services-3.png | Bin 0 -> 22213 bytes .../overview/tor-onion-services-4.png | Bin 0 -> 21419 bytes .../overview/tor-onion-services-5.png | Bin 0 -> 22165 bytes .../overview/tor-onion-services-6.png | Bin 0 -> 18018 bytes content/onion-services/overview/contents.lr| 112 + content/onion-services/setup/contents.lr | 57 ++- content/onion-services/ssl-tls/contents.lr | 4 +- templates/onion-services.html | 25 +++-- 10 files changed, 186 insertions(+), 12 deletions(-) diff --git a/assets/static/images/onion-services/overview/tor-onion-services-1.png b/assets/static/images/onion-services/overview/tor-onion-services-1.png new file mode 100644 index 000..75de366 Binary files /dev/null and b/assets/static/images/onion-services/overview/tor-onion-services-1.png differ diff --git a/assets/static/images/onion-services/overview/tor-onion-services-2.png b/assets/static/images/onion-services/overview/tor-onion-services-2.png new file mode 100644 index 000..4081cdb Binary files /dev/null and b/assets/static/images/onion-services/overview/tor-onion-services-2.png differ diff --git a/assets/static/images/onion-services/overview/tor-onion-services-3.png b/assets/static/images/onion-services/overview/tor-onion-services-3.png new file mode 100644 index 000..3a948ac Binary files /dev/null and b/assets/static/images/onion-services/overview/tor-onion-services-3.png differ diff --git a/assets/static/images/onion-services/overview/tor-onion-services-4.png b/assets/static/images/onion-services/overview/tor-onion-services-4.png new file mode 100644 index 000..88db970 Binary files /dev/null and b/assets/static/images/onion-services/overview/tor-onion-services-4.png differ diff --git a/assets/static/images/onion-services/overview/tor-onion-services-5.png b/assets/static/images/onion-services/overview/tor-onion-services-5.png new file mode 100644 index 000..c171d71 Binary files /dev/null and b/assets/static/images/onion-services/overview/tor-onion-services-5.png differ diff --git a/assets/static/images/onion-services/overview/tor-onion-services-6.png b/assets/static/images/onion-services/overview/tor-onion-services-6.png new file mode 100644 index 000..23f9f71 Binary files /dev/null and b/assets/static/images/onion-services/overview/tor-onion-services-6.png differ diff --git a/content/onion-services/overview/contents.lr b/content/onion-services/overview/contents.lr new file mode 100644 index 000..4924c44 --- /dev/null +++ b/content/onion-services/overview/contents.lr @@ -0,0 +1,112 @@ +section: onion services +--- +section_id: onion-services +--- +color: primary +--- +_template: layout.html +--- +title: How do .onion Services work? +--- +subtitle: Learn how .onion services work. +--- +key: 0 +--- +html: two-columns-page.html +--- +body: + +Onion services are services that can only be accessed over Tor. Running an onion service gives your users all the security of HTTPS with the added privacy benefits of Tor Browser. + +## Why onion services? + +Onion services offer various security benefits to their users, that are not usually given on the normal web. In particular: + +### Location hiding + +An onion service's IP is hidden. Onion services are an overlay network on top of TCP/IP/, so in some sense IP addresses are not even meaningful to onion services: they are not even used in the protocol. + +### End-to-end authentication + +When a user visits a particular onion, they know that the content they are seeing can only come from that particular onion and that no impersonation is possible. This is not the case with the normal web, where reaching a website does not mean that a man-in-the-middle did not reroute to some other location (e.g. DNS attacks). + +### End-to-end encryption + +Onion service traffic is encrypted from the client to the onion host. This is like getting strong SSL/HTTPS for free. + +### NAT punching + +Is your network filtered and you can't open ports on your firewall? This could happen if you are in a university campus, an office, an airport or pretty much anywhere. Onion services don't need open ports because they punch through NAT, since they only establish outgoing connections. + + +## The Onion Service Protocol: Overview + +Now the question becomes **what kind of protocol do we need to achieve all these properties?** In particular, on the normal web, we connect to an IP address and we are done, but in this case how do we connect to something that does not have an IP address? + +In particular, an onion service's
[tor-commits] [community/staging] Onion Services section
commit f186e9f7a88c1edfdfedf4fbb202fdd2c8d334e3 Author: Pili Guerra Date: Fri Jun 7 13:28:35 2019 +0200 Onion Services section --- content/onion-services/overview/contents.lr | 18 +- content/onion-services/ssl-tls/contents.lr | 2 +- templates/onion-services.html | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/content/onion-services/overview/contents.lr b/content/onion-services/overview/contents.lr index 1f9b25c..7d6349f 100644 --- a/content/onion-services/overview/contents.lr +++ b/content/onion-services/overview/contents.lr @@ -21,11 +21,11 @@ body: Onion services are services that can only be accessed over Tor. Running an onion service gives your users all the security of HTTPS with the added privacy benefits of Tor Browser. -##Â Why onion services? +## Why onion services? Onion services offer various security benefits to their users, that are not usually given on the normal web. In particular: -###Â Location hiding +### Location hiding An onion service's IP is hidden. Onion services are an overlay network on top of TCP/IP/, so in some sense IP addresses are not even meaningful to onion services: they are not even used in the protocol. @@ -35,7 +35,7 @@ Onion services are an overlay network on top of TCP/IP/, so in some sense IP add When a user visits a particular onion, they know that the content they are seeing can only come from that particular onion and that no impersonation is possible. This is not the case with the normal web, where reaching a website does not mean that a man-in-the-middle did not reroute to some other location (e.g. DNS attacks). -###Â End-to-end encryption +### End-to-end encryption Onion service traffic is encrypted from the client to the onion host. This is like getting strong SSL/HTTPS for free. @@ -58,7 +58,7 @@ This looks weird and random because in reality it's the _identity public key_ of The general concept behind the onion service protocol is that we use the Tor network so that the client (Alice) can introduce itself to the service (Bob), and then sets up a rendezvous with the service. Here is a detailed breakdown of how this happens: -###Â Act 1: Where the onion service sets up its introduction points +### Act 1: Where the onion service sets up its introduction points ![Onion Services: Step 1](/static/images/onion-services/overview/tor-onion-services-1.png) @@ -67,7 +67,7 @@ These circuits are anonymized circuits, so Bob does not reveal his locations to As part of this step, Bob gives its introduction point a special "authentication key", so that if any clients come for introductions later the introduction point can use that key to match them to Bob. -###Â Act 2: Where the onion service publishes its descriptors +### Act 2: Where the onion service publishes its descriptors ![Onion Services: Step 2](/static/images/onion-services/overview/tor-onion-services-2.png) @@ -79,7 +79,7 @@ The _identity private key_ used here is the private part of the **public key tha Now, Bob uploads that signed descriptor to a _distributed hash table_ which is part of the Tor network, so that clients can also get it. Bob uses an anonymized Tor circuit to do this upload, so that he does not reveal his location. -###Â Act 3: Where a client wants to visit the onion service +### Act 3: Where a client wants to visit the onion service All the previous steps were just setup for the onion service so that it's reachable by clients. Now let's fast-forward to the point where an actual client wants to visit the service: @@ -93,12 +93,12 @@ When Alice receives the signed descriptor, she verifies the signature of the des This provides the _end-to-end authentication_ security property, since we are now sure that this descriptor could only be produced by Bob and no one else. And inside the descriptor there are the introduction points which allow Alice to introduce herself to Bob. -###Â Act 4: Where the client establishes a rendezvous point +### Act 4: Where the client establishes a rendezvous point Now before the introduction takes place, Alice picks a Tor relay and establishes a circuit to it. Alice asks the relay to become her _rendezvous point_ and gives it an "one-time secret" that will be used as part of the rendezvous procedure. -###Â Act 5: Where the client introduces itself to the onion service +### Act 5: Where the client introduces itself to the onion service ![Onion Services: Step 4](/static/images/onion-services/overview/tor-onion-services-4.png) @@ -120,7 +120,7 @@ This provides _location hiding_ to this connection: ![Onion Services: Step 6](/static/images/onion-services/overview/tor-onion-services-6.png) -##Â Further resources +## Further resources This was just a high-level overview of the Tor onion services protocol. Here are some more resources for the curious who want to learn more: diff --git