[tor-talk] Advice on XMPP as a hidden service
cypher at cpunk.us
Fri Mar 7 08:01:57 UTC 2014
On Mar 6, 2014, at 3:44, Mike Cardwell <tor at lists.grepular.com> wrote:
> * on the Thu, Mar 06, 2014 at 02:02:50AM -0600, Cypher wrote:
>> 1. Let's say my hidden service is xxxcf.onion. What would the users
>> final JID be? Would they still be user at chat.cpunk.us or would the
>> onion address come into play?
> Depends. When somebody adds "user at chat.cpunk.us" into their XMPP
> it will do a DNS SRV lookup of "_xmpp-server._tcp.chat.cpunk.us" and
> currently will receive "chat.cpunk.us" as the response, and so connect
> to the host "chat.cpunk.us". I think a lot of clients fall back to
> connecting directly to the A/AAAA record if the SRV record lookup
> So you *could* just add an additional higher priority SRV record to
> chat.cpunk.us containing your onion address. I assume in this
> most clients would try to connect to the .onion address, fail
> because they're not using Tor, and then fall back to the 2nd SRV
> However, there are probably many badly written clients out there which
> will fail in lots of exotic ways. Allowing people to sign up with
> "user at example.onion", would help the service work with clients that
> support SRV records. People using Tor wouldn't be able to do SRV
> anyway as they're not supported by the Tor resolver. It would also
> DNS spoofing. "user at example.onion" should also help avoid various
> that clients might have.
Hmm, good points. Though I wonder if force might me something needed
in this case: use a properly functioning client or go elsewhere. My
reasoning is that I have to wonder if a developer who isn't capable of
writing DNS related code could be trusted to implement proper crypto.
Since our server tries to focus on secure communication, perhaps this
could be a teachable moment and help the Tor network at the same time.
>> 2. Is it necessary to actually configure a hidden service at all?
>> Can't users just point their SOCKS proxy capable XMPP client to the
>> server or does going through an onion address provide something else
>> in this case that I'm not aware of?
> Hidden services offer several benefits. If you're not using a hidden
> service, your client could accidentally connect to the server outside
> of Tor. The client might do something "helpful" like fall back to
> a direct connection when it can't connect to the configured socks
> It prevents DNS spoofing. It prevents malicious exit nodes attempting
> to discover information about the traffic they're exiting, attempting
> to perform SSL stripping attacks etc.
>> 3. even though we run a Jingle node and act as a media relay, I
>> users still will not be able to do voice and video while connected to
>> our server over Tor.
> If any of this relies on UDP, then no. Even if it's entirely TCP, the
> latency added by onion routing will probably be too much in most
> Test it.
>> Is that correct? Is there any way to safely offer voice and video to
>> Tor connected users?
> I don't know.
> Mike Cardwell https://grepular.com/ http://cardwellit.com/
> OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
> XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
More information about the tor-talk