Re: [tor-dev] Using Tor Stealth HS with a home automation server
On 2016-07-08 18:53, Nathan Freitas wrote: I've been working on some ideas about using Tor to secure "internet of things", smart devices other than phones, and other home / industrial automation infrastructure. Specifically, I think this could be a huge application for Tor Hidden Services and Onion sites configured with Hidden Service Authentication and "stealth" mode. Earlier this year, I published some ideas on the subject here https://github.com/n8fr8/talks/blob/master/onion_things/Internet%20of%20Onion%20Things.pdf showing how you could use Orbot and IP Camera apps to build a cloud-free Tor-secured "Dropcam" style setup. Nice! An interesting Orbot feature to have is making QR Codes of authenticated Hidden Service info so mobile devices can easily add each other to a trusted network. ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Using Tor Stealth HS with a home automation server
Now published here: https://home-assistant.io/cookbook/tor_configuration/ On Fri, Jul 8, 2016, at 12:53 PM, Nathan Freitas wrote: > I've been working on some ideas about using Tor to secure "internet of > things", smart devices other than phones, and other home / industrial > automation infrastructure. Specifically, I think this could be a huge > application for Tor Hidden Services and Onion sites configured with > Hidden Service Authentication and "stealth" mode. > > Earlier this year, I published some ideas on the subject here > https://github.com/n8fr8/talks/blob/master/onion_things/Internet%20of%20Onion%20Things.pdf > showing how you could use Orbot and IP Camera apps to build a cloud-free > Tor-secured "Dropcam" style setup. > > Now, I've taken the first step to setup my own instance of Home > Assistant "an open-source home automation platform running on Python 3. > Track and control all devices at home and automate control. Installation > in less than a minute." > > Instructions on this are below. It all seems to be working well, but I > would love any feedback, comments, thoughts that you might have. I would > also like to ensure that any work on next-gen HS designs includes these > kinds of use-cases. > > *** > Pull request for the new "Tor cookbook" example for Home Assistant: > https://github.com/home-assistant/home-assistant.io/pull/627 > > *** > > Tor Onion Service Configuration > > This is an example about how you can configure Tor to provide secure > remote access to your home assitance instance as an Onion site, through > Tor’s Hidden Service feature. With this enabled, you do not need to open > your firewall ports or setup HTTPS to enable secure remote access. > > This is useful if you want to have: > > Access your HA instance remotely without opening a firewall port or > setting up a VPN > Don’t want to or know how to get an SSL/TLS certificate and HTTPS > configuration setup > Want to block attackers from even being able to access/scan your port > and server at all > Want to block anyone from knowing your home IP address and seeing your > traffic to your HA > Background and Contact > > This configuration is part of an effort to apply strong cryptography > technologies (like Onion Routing and End-to-End Encryption) to > technology we increasingly depend on in our day to day lives. Just like > when WhatsApp enabled end-to-end encryption messaging for everyone, > every home automation and IoT platform should do the same, because A) > the technology is all there, freely licensed and open-source and B) up > to this point, all the commercial manufacturers have been doing a > horrific job with security. > > You can learn more about how Tor can be used to secure home automation > and IoT platforms through this short set of slides on the Internet of > Onion Things > > This configuration was provided by @n8fr8 (github, twitter) of Guardian > Project and Tor Project. You can send questions, feedback and ideas to > supp...@guardianproject.info. > > Hidden Services and Onion Sites > > Tor allows clients and relays to offer hidden services. That is, you can > offer a web server, SSH server, etc., without revealing your IP address > to its users. In fact, because you don’t use any public address, you can > run a hidden service from behind your firewall. Learn more about Hidden > Services on the Tor Project website. > > Onion sites are websites that run on a Tor Hidden Service node. “dot > onion” sites are an IETF recognized special use domain name. > > Setting up Tor on your Home Assistant > > First, install Tor. On a Debain-based system, you can install the > package easily: > > sudo apt-get install tor > > You can find more instructions for downloading and installing Tor on > other platforms on the Tor Project Download Page. > > Next, modify Tor’s main configuration file /etc/tor/torrc to include the > following lines: > > ... > HiddenServiceDir /var/lib/tor/homeassistant/ > HiddenServicePort 80 127.0.0.1:8123 > HiddenServiceAuthorizeClient stealth haremote1 > ... > The “sleath” entry above ensures traffic to and from your HA instance > over Tor, is hidden even from other nodes on the Tor network. The > “haremote1” value is a generic client name entry that you can modify as > you please. > > Then, restart Tor: >/etc/init.d/tor restart > > Then read the new generated authentication cookie from the Tor-generated > hostname file: > > sudo more /var/lib/tor/homeassistant/hostname > > The output of that command should look something like this, but with > your own unique “dot onion” domain and authentication cookie: > abcdef1234567890.onion ABCDEF1122334455667789 # client: haremote1 > > You are now done with the HA Tor server configuration. Make sure your HA > instance is running, and now you can move to client configuration. > > Tor Client Access Setup > > Using this setup, you can access your HA instance over Tor from your > laptop or mobile device, using Tor Browser and other
[tor-dev] Using Tor Stealth HS with a home automation server
I've been working on some ideas about using Tor to secure "internet of things", smart devices other than phones, and other home / industrial automation infrastructure. Specifically, I think this could be a huge application for Tor Hidden Services and Onion sites configured with Hidden Service Authentication and "stealth" mode. Earlier this year, I published some ideas on the subject here https://github.com/n8fr8/talks/blob/master/onion_things/Internet%20of%20Onion%20Things.pdf showing how you could use Orbot and IP Camera apps to build a cloud-free Tor-secured "Dropcam" style setup. Now, I've taken the first step to setup my own instance of Home Assistant "an open-source home automation platform running on Python 3. Track and control all devices at home and automate control. Installation in less than a minute." Instructions on this are below. It all seems to be working well, but I would love any feedback, comments, thoughts that you might have. I would also like to ensure that any work on next-gen HS designs includes these kinds of use-cases. *** Pull request for the new "Tor cookbook" example for Home Assistant: https://github.com/home-assistant/home-assistant.io/pull/627 *** Tor Onion Service Configuration This is an example about how you can configure Tor to provide secure remote access to your home assitance instance as an Onion site, through Tor’s Hidden Service feature. With this enabled, you do not need to open your firewall ports or setup HTTPS to enable secure remote access. This is useful if you want to have: Access your HA instance remotely without opening a firewall port or setting up a VPN Don’t want to or know how to get an SSL/TLS certificate and HTTPS configuration setup Want to block attackers from even being able to access/scan your port and server at all Want to block anyone from knowing your home IP address and seeing your traffic to your HA Background and Contact This configuration is part of an effort to apply strong cryptography technologies (like Onion Routing and End-to-End Encryption) to technology we increasingly depend on in our day to day lives. Just like when WhatsApp enabled end-to-end encryption messaging for everyone, every home automation and IoT platform should do the same, because A) the technology is all there, freely licensed and open-source and B) up to this point, all the commercial manufacturers have been doing a horrific job with security. You can learn more about how Tor can be used to secure home automation and IoT platforms through this short set of slides on the Internet of Onion Things This configuration was provided by @n8fr8 (github, twitter) of Guardian Project and Tor Project. You can send questions, feedback and ideas to supp...@guardianproject.info. Hidden Services and Onion Sites Tor allows clients and relays to offer hidden services. That is, you can offer a web server, SSH server, etc., without revealing your IP address to its users. In fact, because you don’t use any public address, you can run a hidden service from behind your firewall. Learn more about Hidden Services on the Tor Project website. Onion sites are websites that run on a Tor Hidden Service node. “dot onion” sites are an IETF recognized special use domain name. Setting up Tor on your Home Assistant First, install Tor. On a Debain-based system, you can install the package easily: > sudo apt-get install tor You can find more instructions for downloading and installing Tor on other platforms on the Tor Project Download Page. Next, modify Tor’s main configuration file /etc/tor/torrc to include the following lines: ... HiddenServiceDir /var/lib/tor/homeassistant/ HiddenServicePort 80 127.0.0.1:8123 HiddenServiceAuthorizeClient stealth haremote1 ... The “sleath” entry above ensures traffic to and from your HA instance over Tor, is hidden even from other nodes on the Tor network. The “haremote1” value is a generic client name entry that you can modify as you please. Then, restart Tor: >/etc/init.d/tor restart Then read the new generated authentication cookie from the Tor-generated hostname file: > sudo more /var/lib/tor/homeassistant/hostname The output of that command should look something like this, but with your own unique “dot onion” domain and authentication cookie: abcdef1234567890.onion ABCDEF1122334455667789 # client: haremote1 You are now done with the HA Tor server configuration. Make sure your HA instance is running, and now you can move to client configuration. Tor Client Access Setup Using this setup, you can access your HA instance over Tor from your laptop or mobile device, using Tor Browser and other software. Add the authentication cookie to your torrc client configuration on your laptop or mobile device. Using the sample values from above, it would look like this: HidServAuth abcdef1234567890.onion ABCDEF1122334455667789 For Tor Browser on Windows, Mac or Linux, you can find the torrc file here: /Browser/TorBrowser/Data/Tor/torrc-defaults Once