#9549 Tor hidden service for update metadata
Opened 22 days ago by demiobenour. Modified 17 days ago

Describe what you would like us to do:


A Tor hidden service for update metadata would have significant advantages over the current system:

  • Improved anonymity for users, as well as protection from censorship.
  • Improved security: hidden services (especially v3 ones) come with key pinning built-in, making MITM attacks impossible even if one manages to obtain a rogue TLS certificate.

When do you need this to be done by? (YYYY/MM/DD)


It would be nice to have this by 2020/01/31


We can look into this... I suspect it would be painfully slow. :(

Requests are already pretty anonomyous... users reach mirrors.fedoraproject.org and get a metalink, then contact one or more mirrors from that metalink.

We can look into this... I suspect it would be painfully slow. :(

I already download all updates over Tor, and many other users of QubesOS do as well. It isn’t the default, but turning it on only requires uncommenting two lines of code. Personally, I consider the advantages to be well worth the slow downloads.

To be clear, I am only referring to the metalink server, not the actual metadata files. The metalink server has a SHA256 hash of the metadata files, so there is no loss of security.

Requests are already pretty anonomyous... users reach mirrors.fedoraproject.org and get a metalink, then contact one or more mirrors from that metalink.

I trust mirrors.fedoraproject.org far more than I do the mirrors, to be honest. One major advantage of a hidden service is that it guarantees that even if someone gets a rogue cert for mirrors.fedoraproject.org, they still can’t send a malicious metadata file. Since we don’t have signed metadata, that is a significant win.

Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: high-trouble, low-gain, ops

17 days ago

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog