InviZible
InviZible copied to clipboard
Gedsh
[FEATURE REQUEST] v3 Onion Service Client Authorization Support
In the latest v3 torspec a Onion service may require an authorization token. Lack of support for this authorization method in InviZible make this feature useless if your intent is to use an authorized hidden service from a mobile device.
need write access to folder to put auth keys into
DataDirectory/ClientOnionAuth/
In the latest v3 torspec a Onion service may require an authorization token
Where I can test this?
by creating own osv3 and enabling auth or i perhaps create and provide example later time.
it may be possible yet, manually with import export feature. i found it works if you pack back files into the zip generated and than import it again. the files placed remains under:
/data/user/0/pan.alexander.tordnscrypt/app_data/tor/
This way you may could add this authentication keys InviZible.auth_private inside there and enable them by setting
ClientOnionAuthDir /data/user/0/pan.alexander.tordnscrypt/app_data/tor/ClientOnionAuth/
@Gedsh Would be better to adapt an easy option that enables to add these directives automatically and on-demand. It's tedious and unproductive to do these tasks manually if you plan to host and provide services from within your phone. Also would be nice to generate the keys automatically.
References for authenticated Onion services: https://we.riseup.net/tech-autonomy+infrastructure/tor#configuring-version-3-authenticated-onion-service-
https://github.com/AnarchoTechNYC/meta/wiki/Connecting-to-an-authenticated-Onion-service#connecting-to-authenticated-version-3-onion-services
These directives are needed to add automatically in that app logic and posted also as an example in order to define a proper authenticated hidden service:
HiddenServiceDir {{ansible_env.HOME}}/tmp/{{ansible_hostname}}
ClientOnionAuthDir {{ansible_env.HOME}}/tmp/{{ansible_hostname}}
DataDirectory {{ansible_env.HOME}}/.tor
HiddenServiceVersion 3
HiddenServicePort 80 127.0.0.1:80
HiddenServicePort 443 127.0.0.1:443
HiddenServicePort 22 127.0.0.1:22
*Curly-braced brackets are from Ansible .yaml variable's syntax if not obvious. Those are extracted from my own written Ansible playbooks/roles. I plan to release them to the public but not atm.
I think it is not good idea to host hidden services on the android phone. It has limitations with resources and apps background work. Maybe I will implement this feature, but later.
Friendly advice (This isn't being rude): It's not up to you to provide those services.
For example, Syncthing for Android has a good handling for the app to work in background. Just by referencing localhost port binding to tor it would be reachable. Another example is, i have an SSHD server in the Android phone and i have total control over it. Another reference defined in tor, and it can be accessed.
These kind of operations are dangerous, and that's why and where client authorization enters to make sense and protect sensitive services.
Anyways we can now edit torrc ourselves with the editor you made into the app. We would just need to create a DataDirectory with the right permissions for the app/module to use it and write there.
Hi;
I think it is not good idea to host hidden services on the android phone. It has limitations with resources and apps background work.
For older devices I agree, but with newer ones, it's not really a problem anymore, especially on Android boxes, where there's no lack of power.
Moreover you could disable this, and let the user intentionally choose to use it (option/linked settings would be disabled initially).
Two (possibly silly) questions: This would allow a relay to work on the device? Would it be complex to add relay options to the current InviZible Pro Tor module?
Thanks and Good continuation
For older devices I agree, but with newer ones
Newer devices have a Doze mode. They sleep most of the time.
on Android boxes, where there's no lack of power
Android box is better. But the lack of computing power still exists.
This would allow a relay to work on the device?
As far as I know this feature is only required for hosting hidden services (onion sites) on the device.
Would it be complex to add relay options to the current InviZible Pro Tor module?
I think no. But as far as I know, there are certain bandwidth and processor power requirements for Tor relays. It cannot be a mobile phone. These are usually powerful servers.
Either way, you can use Orbot for all of this. I have no plans to implement the capabilities of hosting Tor hidden services or Tor relays in InviZible. This is not a job for a mobile phone, but for a server. This is my point.
Newer devices have a Doze mode. They sleep most of the time.
This mode can be disabled normally, and the application could force the system not to put the network to sleep.
Android box is better. But the lack of computing power still exists.
This is not untrue. Do you think that a 8XX or newer snapdragon (for example) won't support these operations ?
As far as I know this feature is only required for hosting hidden services (onion sites) on the device.
Okay, thank you for explaining.
I think no. But as far as I know, there are certain bandwidth and processor power requirements for Tor relays. It cannot be a mobile phone. These are usually powerful servers.
I'm in France, bandwidth is not a problem here (unlimited internet plan, and mobile plan over 100Gb/month), but I understand what you're telling me here.
Either way, you can use Orbot for all of this.
I don't like Orbot, I much prefer InviZible Pro to use Tor, even if I lose some features.
I have no plans to implement the capabilities of hosting Tor hidden services or Tor relays in InviZible. This is not a job for a mobile phone, but for a server. This is my point.
On that I have nothing to say, you are the developer, you decide what to implement, I respect that.
For the last word, I'd like to say that there are more and more devices under Android (TV box, TV, board like raspberry pi) that could be used as a small Tor relay or for hidden service (actually without the power and bandwidth of a real server, that sure), and it would be a lot of fun to create your own circuit with it, but it's just a dream :)
Thanks.