Getting Started
I have been looking for reasons to try Docker on
one of the random stack of un-used Raspberry Pis
that I have laying around and thought it might be fun to build a little
travel router. Somehow that morphed into lets get
Tor working on here and then well if I can
get a client, and a relay, why not an onion service?
Getting the Tor relay / proxy working was pretty easy. The entrypoint script is a little bit long because I wanted to allow for a fair bit of configuration flexibility in how the container is deployed.
You can find the container in the 'tor-relay' directory of my git repo.
I chose to also put polipo in a container to provide a HTTP proxy front-end. This made it pretty easy to get on the Tor network from a machine anywhere on my LAN. I even threw together a docker-compose.yml to bring up both the Tor client and polipo. You can find that in the tor-proxy-bundle of my git repo. Then I decided to go exploring, err researching.
The "Dark" Web
"Onion" services, often times called "hidden" services are addresses that end in .onion and allow operators to provide services over the Tor network without having to disclose their location or IP address. There is no centralized directory of these services like there is with DNS on the 'regular' Internet so discovering what is out there is a bit tricky. After some searching I found that much like the regular Internet there are various directories of links, and search engines available. The big difference in search engine tech is that they seem to start by crawling the regular Internet looking for .onion addresses and then primed with that they can start crawling and indexing links to other .onion addresses just like any Internet search engine would.
My favorite so far is Fresh Onions because I can sort by 'last seen' and just keep poking at whatever it crawled most recently. Things seem to come and go rather frequently on the Tor network so when I was looking at the link directories I kept finding that something like 60% of the links were dead so this provided a better experience.
After a day of poking around I came to realize that as with most technology the general understanding of the dark web is pretty far from reality. The idea that the dark web is awash with black markets, and hit men for hire, and hackers appears to be about as true as it was when people talked about the Internet back in the early 1990s. In fact the reality is that the dark web even looks an awful lot like the 1990s Internet.
Some Examples
What a nice retriever we have here!
There are a lot of sites like this, though this is probably the cutest... The HTML is very rudimentary, quite literally the minimum you need to get an image on the screen.
Placeholder, Placeholder, Everywhere.
Lots of placeholders too... Sometimes not even a page but an empty directory listing from a freshly configured webserver with nothing on it.
Under construction, but no .gif.. yet
If you remember the Internet of the 1990s you almost certainly ran across (or maybe even used) one of the many under construction animated gif images that were out there. While I have yet to see one of those pop up on the dark web, there are lots of pages that purport to be under construction.
Sign my Guestbook!
If you remember the under construction gif you probably also remember guestbooks. A rudimentary precursor to the blog comment box, these let visitors leave public notes for the site owner. Often times these devolved into... well what you might expect from an anonymous board where anyone can post anything...
Turns out those exist on the "Dark" web too.
"Dark" Thoughts
Design aside the "anonymity" of the dark web is very similar to the feeling back in the 1990s and early 2000s Internet. Before advertizers could track you all across the Internet it had a "wild west" feel in places. There were lots of aliases (the hacker nom-de-plume or 'handle'), and strange usernames (I was mee156 at one point thanks to a particularly uncreative corporate IT department) and often they were ephemeral. There were plenty of sites purporting the same sort of potentially illegal (often fake) products and services attributed to the dark web all because by and large you were anonymous (sorta). In a way as someone who grew up in those early days it is actually sort of heartening to see a bit of a renaissance so that maybe the kids today will get a shot at making some of the same mistakes I did and not have that follow them forever.
Hidden service in a (pair of) container(s)
There are a lot of reasons people might run an onion service. Nefarious purposes aside if you aren't just using it for research or as a way to provide a link back into your private network then you are probably concerned about anonymity. There have been a few good DEFCON talks about anonymity and security on Tor and how people often screw it up.
While not a silver bullet it seems like putting your service and the Tor client that provides your .onion address into isolated containers are reasonable first steps towards operational security. By isolating the network to just the two containers you can reduce the attack surface and information leaked if the service is compromised. You can also develop the service in isolation (say on your laptop) and then transport it to another machine to deploy it providing an airgap. Beyond that wrapping this into containers makes it simpler to deploy just about anywhere. You could even put them up on a public cloud provider (if you can get an anonymous account), or since this works on a Raspberry Pi you could hide the Pi somewhere other than your home or work and simply snag an open Ethernet port or WiFi network (obviously with permission from the owner...).
Similar to the proxy and relay stuff, you can see an example
docker-compose.yml, hidden service client, and Apache instance over in
my git repo
(under onion-service-bundle, onion-service, apache-rpi respectively).
The example onion service that I have on my Pi right now is
available here if you are interested.
Conclusions?
Containers bring a lot of interesting possibilities to systems like Tor, where you are essentially creating an overlay network that you are then isolating and keeping largely ephemeral. The onion service keeps a little state (public/private key pairs) but for the most part there isn't anything that needs to be kept around between container runs. There are also other ways to create tunnel connections from inside a container to the world, opening up many different possibilities.
The other interesting thing is that while there are a lot of sites claiming services like what you read in typical reports about "The Dark Web", the vast majority of what is out there are either legitimate attempts to provide anonymous services (eg: The New York Times via Tor, SecureDrop to pass sensitive tips to journalists, and publications or collections of written works like zines), or research / experimentation like the examples above (and my own test service). There is even a streaming radio service over Tor out there.
I think demystifying things helps normalize them. There are plenty of people who use Tor to be able to access the free and open Internet in ways that those of us in countries that don't censor the Internet take for granted, and people who live under regimes so oppressive that reading certain things or posting certain opinions can earn them real jail time. It is important for more people to use Tor for the usual everyday things, provide relays, and run onion services to ensure that the people who are under real threat have more noise to hide in.
Final Thoughts
Peeking around Tor onion services did leave me with one other piece of advice I'd like to pass along. If you have not already I'd urge you to do two things.
- Use a password manager. I generally recommend LastPass, but people I know and trust like 1Password as well. This is your best defense the next time some service gets breached and your data ends up out there (more often than not it is found on the regular Internet).
- Sign up for Troy Hunt's very good and free service Have I Been Pwned. This will alert you when your data has been found in a data breach.
🍻
Edit:
I updated some of the .onion links as they have changed.