Bug#754242: support http://asdfasdf.onion without tor://

To: Patrick Schleizer <adrelanos@riseup.net>, 754242@bugs.debian.org
Subject: Bug#754242: support http://asdfasdf.onion without tor://
From: David Kalnischkies <david@kalnischkies.de>
Date: Wed, 18 Jan 2017 13:51:48 +0100
Message-id: <[🔎] 20170118125148.nqfexrwocola2m4l@crossbow>
Mail-followup-to: David Kalnischkies <david@kalnischkies.de>, Patrick Schleizer <adrelanos@riseup.net>, 754242@bugs.debian.org
Reply-to: David Kalnischkies <david@kalnischkies.de>, 754242@bugs.debian.org
In-reply-to: <[🔎] 87728c75-dbe0-6b2d-5e9b-1358dca03b00@riseup.net>
References: <[🔎] 87728c75-dbe0-6b2d-5e9b-1358dca03b00@riseup.net>

On Sat, Jan 14, 2017 at 10:33:00PM +0000, Patrick Schleizer wrote:
> Is this actually implemented despite saying wontfix?

Well, it's implemented as described in my previous mail in this buglog:
The setting: Dir::Bin::Methods::http "http+tor"; will give you what this
bugreport requests – well, not really, it will route all traffic through
tor, not just these http-lines which have a .onion address as described
in the request. I really don't like such magic and think it would be
dangerous which is why its tagged wontfix, but more details in last
mail.

The in this bugreport requested feature is distinct (in some ways even
the opposite) of what you refer to next through:

> Thank you for implementing 'Acquire::BlockDotOnion "false";' - very
> useful for Whonix!

The option is fashioned after a similar option available in firefox: By
default if we end up trying to perform DNS queries such a try will be
canceled and fails without contacting a DNS server – that is so that by
default a misconfiguration will not cause you to leak your
onion-browsing attempt to a (potentially very) remote DNS server or even
be suspect to an evil DNS server resolving the address to some fake…

I guess Whonix is setup in a way that there is no communication to
the outside world without Tor so there is no danger of a mis-
configuration exposing you in some way. In such a world you don't need
a-t-tor at all. You will need that config knob through as you want apt
to contact a DNS server for all its needs – which your network-stack
will deal with (as in rewriting it to be routed over tor and such).

That said, it might make sense to use a-t-tor anyhow even if not
strictly needed as it will deal better with certain tor anomalies given
that it knows tor is involved reporting better errors (like telling you
that the .onion address you typo'ed is too long/short; saying
"unreachable host" if a service is… well, not reachable, instead of
saying "TTL expired" which is reported by Tor and technically more
correct but unhelpful), will use different circuits for different
sources and stuff.

Best regards

David Kalnischkies

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Bug#754242: (no subject)
  - From: Patrick Schleizer <adrelanos@riseup.net>

Prev by Date: COMPLIMENT OF THE SEASON (READ AND REPLY)!!!
Next by Date: Bug#802515: SystemError: E:The value 'stretch' is invalid for APT::Default-Release as such a release is not available in the sources
Previous by thread: Bug#754242: (no subject)
Next by thread: Bug#838441: Any update ?
Index(es):
- Date
- Thread