HOWTO: get all your Debian packages via Tor Onion Services

leakageFollowing up on some privacy leaks that we looked into a while back, there are now official Debian Tor Onion Services for getting software packages and security updates, thanks to the Debian Sys Admin team. This is important for high risk use cases like TAILS covers, but also it is useful to make it more difficult to do some kinds of targeted attacks against high-security servers. The default Debian and Ubuntu package servers use plain HTTP with unencrypted connections. That means anyone with access to the network streams could both monitor and fingerprint traffic. When an request for a security update is spotted, an attacker knows that machine is vulnerable to an exploit, and could reliably exploit it before the security update is applied.

Using HTTPS to get security updates improves this situation a lot, but by measuring the size of data transfers, it is still possible to track which files are being downloaded. A Tor Onion Service provides end-to-end encryption like the HTTPS connection. It also mixes up the traffic with lots of other traffic, so its not easy to see what traffic goes together. That makes it a lot harder for a network observer to tell when a security update is being downloaded. Additionally, using a Tor Onion Service forces the traffic over Tor, so that the Debian mirror server cannot see which server is requesting the updates. That helps prevent targeted attacks.

There are other benefits as well, besides just for the person running the high security server in this example, especially if all of the traffic is coming over Tor. When updates are delivered over Tor, then that means the Debian mirror operators have less to worry about because they are handling less metadata that might have privacy concerns. It means that when law enforcement requests logs from the mirror operators, the mirror operators can more easily hand over anything they have since the mirror operator knows that there is not private information in the logs. Reducing the legal risks and privacy concerns makes it easier to run mirrors, and that helps internet services work better.

One disadvantage of this approach as it now stands is that your server will get updates from the same mirror every time. There is only a single Tor Onion Service for the main archive. An alternate approach using the combination of Tor and as the package source means that your server will get updates from a different mirror each time Tor changes its exit node (I believe that’s every 10 minutes or so).

How can you set up your Debian machine to get updates over Tor?

debian and torRight now, the best way to set up a Debian machine to force traffic over Tor is to use transparent proxying via iptables rules. If you have that setup, then you can add the onion addresses as Debian apt sources as if they are any other HTTP Debian mirror. Another option is to install apt-transport-tor like TAILS does, then you can use special syntax to add the Tor Onion Services. And another way is to install an HTTP proxy like privoxy and enable apt HTTP proxy support as I described before. The apt-transport-tor and privoxy approaches both have the downside of having to trust an added piece of software, whereas the transparent proxy technique uses what is already present in the Linux kernel. I’ve been using the privoxy method since that is what I got working in 2014 and it has been working reliably on multiple servers since then. Also, I need privoxy installed for another application anyway.

Here’s how to set up the apt sources to get packages and updates via Tor Onion Services without delaying security updates. First, remove /etc/apt/sources.list and /etc/apt/sources.list.d/*.list to start with a clean slate. Next add /etc/apt/sources.list.d/00.vwakviie2ienjx6t.onion.list to get the main Debian repositories:

deb http://vwakviie2ienjx6t.onion/debian/ jessie main
deb-src http://vwakviie2ienjx6t.onion/debian/ jessie main

# aka volatile
deb http://vwakviie2ienjx6t.onion/debian/ jessie-updates main
deb-src http://vwakviie2ienjx6t.onion/debian/ jessie-updates main

deb http://vwakviie2ienjx6t.onion/debian jessie-backports main
deb-src http://vwakviie2ienjx6t.onion/debian/ jessie-backports main

Next add the new Tor Onion Service for the security update repository at /etc/apt/sources.list.d/00.sgvtcaew4bxjd7ln.onion.list:

deb http://sgvtcaew4bxjd7ln.onion/ jessie/updates main

Then last, include the normal HTTP archive to ensure that your server gets the latest security updates, even if the Onion Service mirror is behind or there is some other issue related to Tor. This goes in /etc/apt/sources.list.d/ to ensure that it is always the last repository that is tried, and apt loads files from /etc/apt/source.list.d/ in alphabetical order, so it’ll always try to get the security updates from the Onion Service before falling back to the HTTP source as a last resort.

deb jessie/updates main

I also run an unofficial mirror of the security updates on http://dju2peblv7upfz3q.onion/debian if you want to add another backup, i.e. /etc/apt/sources.list.d/00.dju2peblv7upfz3q.onion.list:

deb http://dju2peblv7upfz3q.onion/debian-security/ jessie/updates main