tor-browserAUR should generally work without significant customization. If previously installed/configured and bundled proxy fails with proxy server is refusing connections for any website, consider resetting settings by moving or deleting /.tor-browser directory.
Because a visitor to your Landing Page may not be using Tor Browser yet,clicking a link to your SecureDrop instance or to any other .onion address mayresult in an error message. Worse, depending on the browser and networkconfiguration, it may cause lookups that an adversary can use to identifySecureDrop-related behavior.
Tor onion service config fails due to apparmor
To change sysctls permanently, you can add the one you want to change to /etc/sysctl.conf or the corresponding files within /etc/sysctl.d, depending on your Linux distribution. Since Linux 5.8, sysctls can also be set via the sysctl.$tunable=$value boot parameter. This may be better, as it is set at the beginning of the boot process, without depending on a user space service to read the values from configuration files. The following are the recommended sysctl settings that you should change.
sysfs is a pseudo-filesystem which provides large quantities of kernel and hardware information. It is commonly mounted at /sys. sysfs has been the cause of numerous information leaks, particularly of kernel pointers. Whonix's security-misc package includes the hide-hardware-info script, which restricts access to this directory as well as a few in /proc in an attempt to hide potential hardware identifiers and prevent kernel pointer leaks. This script is configurable and allows whitelisting specific applications based on groups. It is recommended to apply this and make it execute on boot with an init script. For example, this is a systemd service to do so. For basic functionality to work on systems using systemd, you must whitelist a few system services. This can be done by creating /etc/systemd/system/user@.service.d/sysfs.conf and adding:
You cannot just copy this example configuration into yours. Each service's requirements differ, and the sandbox has to be fine-tuned for each of them specifically. To learn more about all of the options you can set, read the systemd.exec manpage. If you use an init system other than systemd, then all of these options can be easily replicated with bubblewrap.
Time synchronisation is vital for anonymity and security. A wrong system clock can expose you to clock skew fingerprinting attacks or can be used to feed you outdated HTTPS certificates, bypassing certficate expiry or revocation. The most popular time synchronisation method, NTP, is insecure, as it is unencrypted and unauthenticated, allowing an attacker to trivially intercept and modify requests. NTP also leaks your local system time in NTP timestamp format, which can be used for clock skew fingerprinting, as briefly mentioned before. Thus, you should uninstall any NTP clients and disable systemd-timesyncd if it is in use. Instead of NTP, you can connect to a trusted website over a secure connection (HTTPS or, preferably, a Tor onion service) and extract the current time from the HTTP header. Tools that accomplish this are sdwdate or my own secure-time-sync.
Mar 19 13:47:21 xps15-9560 apparmor[773]: AppArmor parser error for /etc/apparmor.d/usr.lib.mediascanner-2.0.mediascanner-extractor in /eMar 19 13:47:21 xps15-9560 apparmor[773]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogdMar 19 13:47:22 xps15-9560 apparmor[773]: Skipping profile in /etc/apparmor.d/disable: usr.bin.firefoxMar 19 13:47:22 xps15-9560 apparmor[773]: AppArmor parser error for /etc/apparmor.d/usr.bin.webbrowser-app in /etc/apparmor.d/usr.bin.webMar 19 13:47:22 xps15-9560 apparmor[773]: AppArmor parser error for /etc/apparmor.d/usr.lib.mediascanner-2.0.mediascanner-extractor in /eMar 19 13:47:22 xps15-9560 apparmor[773]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogdMar 19 13:47:22 xps15-9560 apparmor[773]: ...fail!Mar 19 13:47:22 xps15-9560 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/aMar 19 13:47:22 xps15-9560 systemd[1]: apparmor.service: Failed with result 'exit-code'.Mar 19 13:47:22 xps15-9560 systemd[1]: Failed to start AppArmor initialization.
ProblemType: BugDistroRelease: Ubuntu 18.04Package: apparmor 2.11.0-2ubuntu19ProcVersionSignature: Ubuntu 4.15.0-12.13-generic 4.15.7Uname: Linux 4.15.0-12-generic x86_64ApportVersion: 2.20.8-0ubuntu10Architecture: amd64Date: Mon Mar 19 13:50:42 2018InstallationDate: Installed on 2017-08-16 (214 days ago)InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412)ProcEnviron: LANGUAGE=en_AU:en TERM=xterm-256color PATH=(custom, no user) LANG=en_AU.UTF-8 SHELL=/bin/bashProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-4.15.0-12-generic root=UUID=0eb64261-6dff-464a-8373-596794c1fafe ro rootflags=subvol=@ quiet splash acpi_rev_override=5 scsi_mod.use_blk_mq=1 vt.handoff=1SourcePackage: apparmorSyslog: Mar 19 13:47:22 xps15-9560 dbus-daemon[1252]: [system] AppArmor D-Bus mediation is enabled Mar 19 13:47:23 xps15-9560 dbus-daemon[1491]: [session uid=125 pid=1491] AppArmor D-Bus mediation is enabled Mar 19 13:47:39 xps15-9560 dbus-daemon[2160]: [session uid=1001 pid=2160] AppArmor D-Bus mediation is enabledUpgradeStatus: Upgraded to bionic on 2017-11-17 (121 days ago)mtime.conffile..etc.apparmor.d.abstractions.nameservice: 2017-10-24T16:47:24.395996
* Remove old Ubuntu Touch profiles for packages removed from the archive since they need apparmor-easyprof-ubuntu to compile, and it was also removed from the archive (LP: #1756800) - debian/control: Breaks on media-hub, mediascanner2.0 and webbrowser-app - debian/postinst: on upgrade, remove profiles for usr.bin.webbrowser-app, usr.bin.media-hub-server, usr.lib.mediascanner-2.0.mediascanner-extractor and usr.bin.mediascanner-service-2.0
sdwdate only connects to Tor onion services, which are encrypted by default and do not rely on SSL certificate authorities (CAs). Three different pools are used for time sources so that if too many connections fail for any given pool, [8] the pool is considered as potentially compromised and sdwdate aborts.
The various onion services are categorized into three different pools. Any member in one pool should be unlikely to share logs (or other identifying data), or agree to send fake time information, with a member from the other pools. In basic terms, sdwdate picks three random servers - one from each pool - and then builds the mediate (middle position) of the three advertised dates.
There needs to be evidence that that onion domain is hosted by the same author as the clearnet domain. This can be a mention of the onion domain on the clearnet domain or the Onion-Location HTTP header. The latter can be conveniently noticed by visiting the website using Tor Browser and then showing onion available and seen by using services such as securityheaders.com or using the curl command line tool, i.e. curl --head
Onion services likely hosted on the same hardware or by the same author will be grouped together and act as one. I.e. these will be considered mirrors of the same onion. sdwdate picks one mirror from the group randomly. Any onion from that author will not be used more than other pool members. The load among these grouped pool members will therefore be load balanced.
OnionShare is an open source tool for securely and anonymously sending and receiving files using Tor onion services. It works by starting a web server directly on your computer and making it accessible as an unguessable Tor web address that others can load in Tor Browser to download files from you, or upload files to you. It doesn't require setting up a separate server, using a third party file-sharing service, or even logging into an account.
After clicking the button, I wait a few seconds, and then OnionShare gives me an unguessable Tor address to share. This is also new in OnionShare 2: By default, it uses next generation Tor onion services, also known as v3 onion addresses. These are onion addresses that look like lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion, as opposed to the old v2 kind, that look like elx57ue5uyfplgva.onion.
Also, you might notice that the OnionShare address is using HTTP and not HTTPS, but this is actually perfectly fine. HTTPS adds a layer of encryption between a web browser and a web server, but Tor onion services are already end-to-end encrypted, so HTTPS is not necessary (it's also not feasible without browser warnings: Let's Encrypt doesn't sign HTTPS certificates for .onion sites). Unlike loading normal websites in Tor Browser, when you load onion websites, there is no Tor exit node that could spy on the traffic -- all of the traffic stays within the Tor network.
Over in OnionShare on my computer, I can see the status of all of the files that I'm receiving. Because OnionShare uses Tor onion services, I don't actually have any way of knowing who is sending files to me -- if I want to make it so only very specific people can send me files, I need to securely share the OnionShare address to only those people. My computer will continue to act as an anonymous dropbox until I click "Stop Receive Mode", or close OnionShare. And, just like with share mode, if I suspend my laptop, the OnionShare address stops working.
The idea is that if an attacker could figure out the tor-address part of the address, they still can't download the files you're sharing, or upload files to your computer, without first knowing the slug. The slug is, essentially, a password. (This is less important when using v3 onion services. The old v2 onion services have a known issue where, if the onion connection happens to get facilitated by a malicious Tor node, that node could learn the tor-address part. This is one of the reasons that v3 onions are more secure.) 2ff7e9595c
Comments