[webwml/staging] onion services: add v3 manual from wiki (fixes #24880) - tor-commits

27 Aug 2018

commit 0e7b0b7bf5b800ae99beebc0fdf58fef8337cee0
Author: traumschule traumschuleriebau@riseup.net
Date:   Sun Aug 19 23:25:31 2018 +0200
onion services: add v3 manual from wiki (fixes #24880)
---
 docs/en/tor-onion-service.wml | 124 ++++++++++++++++++++++++++++++++++++++----
 1 file changed, 112 insertions(+), 12 deletions(-)

diff --git a/docs/en/tor-onion-service.wml b/docs/en/tor-onion-service.wml
index 8fc9e894..7ef903e1 100644
--- a/docs/en/tor-onion-service.wml
+++ b/docs/en/tor-onion-service.wml
@@ -134,8 +134,9 @@
    <pre> HiddenServiceDir C:\Users\username\Documents\tor\hidden_service
    HiddenServicePort 80 127.0.0.1:8080 </pre>
-    <p>Note that since 0.2.6, both <var>SocksPort</var> and <var>HiddenServicePort</var> support Unix sockets. 
-    This means that you can point the <var>HiddenServicePort</var> to a Unix socket:</p>
+    <p>Note that since 0.2.6, both <var>SocksPort</var> and <var>HiddenServicePort</var>
+    support Unix sockets. This means that you can point the <var>HiddenServicePort</var>
+    to a Unix socket:</p>
     <pre>
     HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
     HiddenServicePort 80 unix:/path/to/socket
@@ -199,8 +200,8 @@
     service, just add more <var>HiddenServicePort</var> lines.
     If you want to run multiple onion services from the same Tor
     client, just add another <var>HiddenServiceDir</var> line. All the following
-    <var>HiddenServicePort</var> lines refer to this <var>HiddenServiceDir</var> line, until
-    you add another <var>HiddenServiceDir</var> line:
+    <var>HiddenServicePort</var> lines refer to this <var>HiddenServiceDir</var>
+    line, until you add another <var>HiddenServiceDir</var> line:
     </p>
<pre>
@@ -212,13 +213,13 @@
     HiddenServicePort 22 127.0.0.1:22
     </pre>
-    <p>Onion services operators need to practice proper operational security
-    and system administration to maintain security. For some security
-    suggestions please make sure you read over Riseup's <a
-	href="https://help.riseup.net/en/security/network-security/tor/onionservices-best-...
-	Hidden (Onion) Services Best Practices" document</a>. Also, here are some
-	more anonymity issues you should keep in mind:
-
+    <p>Onion services operators need to practice proper
+    <a href="https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity">
+    operational security</a> and system administration to maintain security.
+    For some security suggestions please make sure you read over Riseup's
+    <a href="https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices">
+    "Tor Hidden (Onion) Services Best Practices" document</a>.
+    Also, here are some more anonymity issues you should keep in mind:
     </p>
     <ul>
     <li>As mentioned above, be careful of letting your web server reveal
@@ -238,7 +239,13 @@
<p>Another common issue is whether to use HTTPS on your relay or
     not. Have a look at this <a
-    href="https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs%22...</a> on the Tor Blog to learn more about these issues.
+    href="https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs%22...</a>
+    on the Tor Blog to learn more about these issues.
+    </p>
+
+    <p>You can use <a href="https://stem.torproject.org">stem</a> to
+    <a href="https://stem.torproject.org/tutorials/over_the_river.html">
+    automate the management of your onion services</a>.
     </p>
<p>Finally, feel free to use the <a
@@ -246,6 +253,99 @@
     mailing list</a> to discuss the secure administration and operation of
     Tor onion services.</p>
+    <hr>
+    <a id="four"></a>
+    <h2><a class="anchor" href="#four">Step Four: Set up next-gen (v3) onions</a></h2>
+    <br>
+
+    <p>Since Tor 0.3.2 and
+    <a href="https://blog.torproject.org/tor-browser-75a5-released">Tor Browser
+    7.5.a5</a> 56 bit long v3 onion addresses are supported and should be used
+    instead. This newer version of onion services ("v3") features many
+    improvements over the legacy system:
+    </p>
+    <ul>
+      <li>Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)</li>
+      <li>Improved directory protocol, leaking much less information to directory servers.</li>
+      <li>Improved directory protocol, with smaller surface for targeted attacks.</li>
+      <li>Better onion address security against impersonation.</li>
+      <li>More extensible introduction/rendezvous protocol.</li>
+      <li>A cleaner and more modular codebase.</li>
+    </ul>
+    <p>For details see
+    <a href="https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames">
+    Why are v3 onions better?</a>. You can identify a next-generation onion
+    address by its length: they are 56 characters long, as in
+    <var>4acth47i6kxnvkewtm6q7ib2s3ufpo5sqbsnzjpbi7utijcltosqemad.onion</a>.
+    
+    The specification for next gen onion services can be found
+    <a href="https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt">
+    here</a>.
+    </p>
+
+    <h3>How to setup your own prop224 service</h3>
+
+    <p>It's easy! Just use your <a href"#two">regular onion service</a> torrc
+    and add <var>HiddenServiceVersion 3</var> in your onion service torrc block.
+    Here is an example torrc designed for testing:
+    </p>
+    <pre>
+SocksPort auto
+
+HiddenServiceDir /home/user/tmp/hsv3
+HiddenServiceVersion 3
+HiddenServicePort 6667 127.0.0.1:6667
+    </pre>
+    <p>Then your onion address is in <var>/home/user/tmp/hsv3/hostname</var>.
+    To host both a v2 and a v3 service using two onion service torrc blocks:
+    </p>
+    <pre>
+HiddenServiceDir /home/user/tmp/hsv2
+HiddenServicePort 6667 127.0.0.1:6667
+
+HiddenServiceDir /home/user/tmp/hsv3
+HiddenServiceVersion 3
+HiddenServicePort 6668 127.0.0.1:6667
+    </pre>
+
+    <p>Please note that tor is strict about directory permissions and does not
+    like to share its files. Make sure to restrict read and write access to the
+    onion services directory before restarting tor. For most linux based systems you can use:
+    </p>
+    <pre>chmod 700 -R /var/lib/tor</pre>
+
+    <p>To restart tor it's safer to not use SIGHUP directly (see bug
+    <a href="https://trac.torproject.org/projects/tor/ticket/21818">#21818</a>),
+    but to check the validity of the config first. On Debian based systems the
+    services management tool does this for you:</p>
+    <pre>
+    service tor restart
+    </pre>
+
+    <h3>How to help the next-gen onion development</h3>
+
+    <p>Please let us know if you find any bugs!
+    We are still in testing & development stage so things are very liquid and
+    in active development. If you want to help with development, check out the list of
+    <a href="https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~prop224&order=priority">
+    open prop224 bugs</a>.
+    </p>
+
+    <p>For researchers our wiki page
+    <a href="https://trac.torproject.org/projects/tor/wiki/doc/OnionServiceNamingSystems">
+    Onion Service Naming Systems</a> could be of value. If you are more of the bug
+    hunting type, please check our code and spec for errors and inaccuracies.
+    We would be thrilled to know about them!
+    </p>
+
+    <p>For debugging and to send us more helpful log files, turn on info logging:
+    </p>
+    <pre>
+SafeLogging 0
+Log notice file /home/user/tmp/hs/hs.log
+Log info file /home/user/tmp/hs/hsinfo.log
+    </pre>
+
   </div>
   <!-- END MAINCOL -->
   <div id = "sidecol">

    