[tor-talk] Advice on XMPP as a hidden service

Mike Cardwell tor at lists.grepular.com
Thu Mar 6 09:44:56 UTC 2014


* on the Thu, Mar 06, 2014 at 02:02:50AM -0600, Cypher wrote:

> I run the public XMPP server at chat.cpunk.us and I'd like to make the  
> service also available as a hidden service. I have a few questions:
> 
> 1. Let's say my hidden service is xxxcf.onion. What would the users  
> final JID be? Would they still be user at chat.cpunk.us or would the  
> onion address come into play?

Depends. When somebody adds "user at chat.cpunk.us" into their XMPP client
it will do a DNS SRV lookup of "_xmpp-server._tcp.chat.cpunk.us" and
currently will receive "chat.cpunk.us" as the response, and so connect
to the host "chat.cpunk.us". I think a lot of clients fall back to
connecting directly to the A/AAAA record if the SRV record lookup fails.
So you *could* just add an additional higher priority SRV record to
chat.cpunk.us containing your onion address. I assume in this situation
most clients would try to connect to the .onion address, fail immediately
because they're not using Tor, and then fall back to the 2nd SRV record
"chat.cpunk.us"

However, there are probably many badly written clients out there which
will fail in lots of exotic ways. Allowing people to sign up with
"user at example.onion", would help the service work with clients that don't
support SRV records. People using Tor wouldn't be able to do SRV lookups
anyway as they're not supported by the Tor resolver. It would also prevent
DNS spoofing. "user at example.onion" should also help avoid various leaks
that clients might have.

> 2. Is it necessary to actually configure a hidden service at all?  
> Can't users just point their SOCKS proxy capable XMPP client to the  
> server or does going through an onion address provide something else  
> in this case that I'm not aware of?

Hidden services offer several benefits. If you're not using a hidden
service, your client could accidentally connect to the server outside
of Tor. The client might do something "helpful" like fall back to making
a direct connection when it can't connect to the configured socks proxy.
It prevents DNS spoofing. It prevents malicious exit nodes attempting
to discover information about the traffic they're exiting, attempting
to perform SSL stripping attacks etc.

> 3. even though we run a Jingle node and act as a media relay, I assume  
> users still will not be able to do voice and video while connected to  
> our server over Tor.

If any of this relies on UDP, then no. Even if it's entirely TCP, the
latency added by onion routing will probably be too much in most cases.
Test it.

> Is that correct? Is there any way to safely offer voice and video to
> Tor connected users?

I don't know.

-- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140306/5867d470/attachment.sig>


More information about the tor-talk mailing list