blog/data/2016-01-15-apt-tor.txt

   1 Title: Always download Debian packages using Tor - the simple recipe
   2 Tags: english, debian, sikkerhet
   3 Date: 2016-01-15 00:30
   4
   5 <p>During his DebConf15 keynote, Jacob Appelbaum
   6 <a href="https://summit.debconf.org/debconf15/meeting/331/what-is-to-be-done/">observed
   7 that those listening on the Internet lines would have good reason to
   8 believe a computer have a given security hole</a> if it download a
   9 security fix from a Debian mirror.  This is a good reason to always
  10 use encrypted connections to the Debian mirror, to make sure those
  11 listening do not know which IP address to attack.  In August, Richard
  12 Hartmann observed that encryption was not enough, when it was possible
  13 to interfere download size to security patches or the fact that
  14 download took place shortly after a security fix was released, and
  15 <a href="http://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/">proposed
  16 to always use Tor to download packages from the Debian mirror</a>.  He
  17 was not the first to propose this, as the
  18 <tt><a href="https://tracker.debian.org/pkg/apt-transport-tor">apt-transport-tor</a></tt>
  19 package by Tim Retout already existed to make it easy to convince apt
  20 to use <a href="https://www.torproject.org/">Tor</a>, but I was not
  21 aware of that package when I read the blog post from Richard.</p>
  22
  23 <p>Richard discussed the idea with Peter Palfrader, one of the Debian
  24 sysadmins, and he set up a Tor hidden service on one of the central
  25 Debian mirrors using the address vwakviie2ienjx6t.onion, thus making
  26 it possible to download packages directly between two tor nodes,
  27 making sure the network traffic always were encrypted.</p>
  28
  29 <p>Here is a short recipe for enabling this on your machine, by
  30 installing <tt>apt-transport-tor</tt> and replacing http and https
  31 urls with tor+http and tor+https, and using the hidden service instead
  32 of the official Debian mirror site.  I recommend installing
  33 <tt>etckeeper</tt> before you start to have a history of the changes
  34 done in /etc/.</p>
  35
  36 <blockquote><pre>
  37 apt install apt-transport-tor
  38 sed -i 's% http://ftp.debian.org/% tor+http://vwakviie2ienjx6t.onion/%' /etc/apt/sources.list
  39 sed -i 's% http% tor+http%' /etc/apt/sources.list
  40 </pre></blockquote>
  41
  42 <p>If you have more sources listed in /etc/apt/sources.list.d/, run
  43 the sed commands for these too.  The sed command is assuming your are
  44 using the ftp.debian.org Debian mirror.  Adjust the command (or just
  45 edit the file manually) to match your mirror.</p>
  46
  47 <p>This work in Debian Jessie and later.  Note that tools like
  48 <tt>apt-file</tt> only recently started using the apt transport
  49 system, and do not work with these tor+http URLs.  For
  50 <tt>apt-file</tt> you need the version currently in experimental,
  51 which need a recent apt version currently only in unstable.  So if you
  52 need a working <tt>apt-file</tt>, this is not for you.</p>
  53
  54 <p>Another advantage from this change is that your machine will start
  55 using Tor regularly and at fairly random intervals (every time you
  56 update the package lists or upgrade or install a new package), thus
  57 masking other Tor traffic done from the same machine.  Using Tor will
  58 become normal for the machine in question.</p>
  59
  60 <p>On <a href="https://wiki.debian.org/FreedomBox">Freedombox</a>, APT
  61 is set up by default to use <tt>apt-transport-tor</tt> when Tor is
  62 enabled.  It would be great if it was the default on any Debian
  63 system.</p>