[tor-talk] Advice on XMPP as a hidden service

Cypher cypher at cpunk.us
Fri Mar 7 08:01:57 UTC 2014 

On Mar 6, 2014, at 3:44, Mike Cardwell <tor at lists.grepular.com> wrote:

> * on the Thu, Mar 06, 2014 at 02:02:50AM -0600, Cypher wrote:
>>
>>
>> 1. Let's say my hidden service is xxxcf.onion. What would the users
>> final JID be? Would they still be user at chat.cpunk.us or would the
>> onion address come into play?
>
> Depends. When somebody adds "user at chat.cpunk.us" into their XMPP  
> client
> it will do a DNS SRV lookup of "_xmpp-server._tcp.chat.cpunk.us" and
> currently will receive "chat.cpunk.us" as the response, and so connect
> to the host "chat.cpunk.us". I think a lot of clients fall back to
> connecting directly to the A/AAAA record if the SRV record lookup  
> fails.
> So you *could* just add an additional higher priority SRV record to
> chat.cpunk.us containing your onion address. I assume in this  
> situation
> most clients would try to connect to the .onion address, fail  
> immediately
> because they're not using Tor, and then fall back to the 2nd SRV  
> record
> "chat.cpunk.us"
>
> However, there are probably many badly written clients out there which
> will fail in lots of exotic ways. Allowing people to sign up with
> "user at example.onion", would help the service work with clients that  
> don't
> support SRV records. People using Tor wouldn't be able to do SRV  
> lookups
> anyway as they're not supported by the Tor resolver. It would also  
> prevent
> DNS spoofing. "user at example.onion" should also help avoid various  
> leaks
> that clients might have.

Hmm, good points. Though I wonder if force might me something needed  
in this case: use a properly functioning client or go elsewhere. My  
reasoning is that I have to wonder if a developer who isn't capable of  
writing DNS related code could be trusted to implement proper crypto.   
Since our server tries to focus on secure communication, perhaps this  
could be a teachable moment and help the Tor network at the same time.
>
>> 2. Is it necessary to actually configure a hidden service at all?
>> Can't users just point their SOCKS proxy capable XMPP client to the
>> server or does going through an onion address provide something else
>> in this case that I'm not aware of?
>
> Hidden services offer several benefits. If you're not using a hidden
> service, your client could accidentally connect to the server outside
> of Tor. The client might do something "helpful" like fall back to  
> making
> a direct connection when it can't connect to the configured socks  
> proxy.
> It prevents DNS spoofing. It prevents malicious exit nodes attempting
> to discover information about the traffic they're exiting, attempting
> to perform SSL stripping attacks etc.
>
>> 3. even though we run a Jingle node and act as a media relay, I  
>> assume
>> users still will not be able to do voice and video while connected to
>> our server over Tor.
>
> If any of this relies on UDP, then no. Even if it's entirely TCP, the
> latency added by onion routing will probably be too much in most  
> cases.
> Test it.
>
>> Is that correct? Is there any way to safely offer voice and video to
>> Tor connected users?
>
> I don't know.
>
> -- 
> Mike Cardwell  https://grepular.com/     http://cardwellit.com/
> OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
> XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
> -- 
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

More information about the tor-talk mailing list