Anonymous Homeservers (Tor/I2P) #7088
Comments
|
It seems like the best way to not lock specifically into Tor or I2P would be to have some sort of low level Network API that specifies config, transport and authentication for federation. This interface would allow support for Tor, I2P, DNS or any other homeserver type and prevent the need to rewrite the spec to add support for a new homeserver type. I will try to dive deeper into this and start a spec proposal mid May (Working part time and taking a full load of classes has my hands full until then). |
|
@jakehemmerle thanks for being on top of this. I'm personally invested in adding Tor support, since hidden services solve an addressability problem for people who want to run servers behind a NAT. That said, I would recommend prioritizing Tor over I2P when it comes to implementation as Tor has better ecosystem support. Based on my own experience, I have found that integrating Tor is easier than I2P and tends to be more reliable. It may also be worth noting that, as far as I'm aware, there is no I2P browser available for iOS. Additionally, there is a plugin being developed for Ionic Capacitor that will allow adding Tor support to both Android and iOS applications very easily, which will likely be finished in the coming weeks. Those are my thoughts on the matter. Happy to lend help wherever needed. |
|
This would finally open Matrix/Synapse to everybody and removes the NAT/dynamic IP problem: |
|
My one concern is that we need to make sure that Another thing I'm a little worried about is while it is necessary to route |
|
I mean it should be configurable. Connecting to another server over clearnet only harms your own anonymity, not anyone else's. So if you're using Tor for NAT punching but not anonymity, you could use the proxy for hidden services only. But I agree that by default it should use the proxy for everything. As for the second point, long term we could bundle a Tor client, and only run it if we don't detect anything listening on 127.0.0.1:9050. Remote Tor proxies should be an advanced configuration option, you need to know what you're doing if you use one. |
@cyphar If I understand your statement correctly, why would it matter if another server (who/whatever is hosting the Tor SOCKS5) can see the data going to the onion
It might be worth 'highly recommending' that people running |
|
shallot is v2, so probably should use https://github.com/cathugger/mkp224o instead |
It makes it so the relaying server is aware of the social graph of people talking. For instance, knowing that user Leaking such information does defeat some of the anonymity properties of My point is that if we're going to do clear-net packet routing to people who are on
Sure, though I imagine a lot of the work would also involve making sure that Twisted doesn't leak such information. Docker doesn't solve all of your problems (how do you make sure you don't leak information about the host system over the internet, and so on). Don't get me wrong, these are all stretch goals but are things that should be kept in mind if the intention is to get people to host |
I don’t think that matters (or rather, it matters much less) that it is known that someone on a clear-net homeserver is speaking to an onion homeserver (even though you can make associations like you described above). If a user ranks anonymity as a high priority for them, they should use an onion homeserver anyway (or at the very least, a clear-net homeserver through Tor, but still opens up that clearnet server to censorship or targeted attacks). An onion homeserver should simply provide anonymity to its users, not necessarily to clearnet servers/users in a room it’s hosting. If we want more privacy from clear to onion (or even clear to clear), that should be a separate proposal (although related).
A crafted docker-compose file would eliminate/reduce the issue of a misconfigured or information-exposing service like nginx as well as Twisted reducing privacy. Docker itself doesn’t inherently remove these issues, and Twisted under the hood may want to expose things, but forcing a container (Synapse) to route all traffic through another container (a router configured to route all traffic through Tor) does. |
Rereading this a few months later I realize I misunderstood what you were saying! I'm not sure if theres a way to completely eliminate this issue at the docker level. Someone who knows docker and security pretty well would have to answer that. |
|
https://www.ndss-symposium.org/wp-content/uploads/2020/02/24199-paper.pdf Stuff like 0-RTT TLS, TCP fast open, and (if going the I2P route) QUIC should speed up some of the loading time. I expect this to be pretty slow trying to federate everything, but I could be wrong. Anyway, this paper might come in handy at some point. |
|
Support for ENS domains (https://ens.domains/) and/or unstoppable domains (https://unstoppabledomains.com/) could be interesting. This would allow decoupling of anonymous domains and the type of anonymizing technology used. (if for example Tor and I2P are implemented in the future) |
|
@hstock that's a great idea! I'd like to add Handshake to the list too (https://handshake.org). |
|
Would be good to see this and Tor/Onion sites and IPFS/Unstoppable Domains support without the clients like element needing to work with I2P, Tor or IPFS. If the synapse can support I2P, Tor and IPFS then matrix can be really decentralised and unstoppable. |
|
element web already supports tor if you run it in a tor browser ;) |
|
@dr-bonez The discussion here is regarding the federation protocol, that is homeserver-to-homeserver. |
|
I know, I was responding to @trymeouteh's comment about not waiting for tor support from clients. Just saying it's not a concern anyway, since web clients can easily be supported. |
|
A lot of people need this feature. Waiting... |
feel free to start on the protocol proposal, thats step 1 |
|
Good luck with this! Would be great to have it :). But if I had to be honest and blunt, I dont see element team implementing this anytime soon and for some of its members this would never get implemented if they had to decide. This doesn't apply to all team members though, but there is a big part of the composition of the element team that will probably harshly and silently criticize this proposal and probably try to brush it under the rug. The path I see forward is not in matrix.org issue tracker but other server implementations such like conduit or others https://gitlab.com/famedly/conduit , they will probably implement that straightway if PR is provided, given it aligns with their ideals, and if you cant do that, it is probably in their roadmap already so if you wait enough, that will probably become a reality. |
|
Timo has already agreed to accept a pr that adds tor support to conduit. It would be very simple, too, given that they are using reqwest, which has socks5 support. I just haven't gotten to it yet. |
|
It's possible that only #9306 is needed to get this working... |
erikjohnston
added
T-Other
|
Question: Couldn't there be something like a "tor/pull mode" in which federation is done over a outbound connection initiated by the tor homeserver (and thus solving the need for a tor client on the other homeserver)? |
ghost
mentioned this issue
|
Can anyone update on what is the current state of this issue? There seems to have been a lot of work done so it's hard to track what needs to be done to get tor homeservers, thanks CC @Legogris as the only project member reacting to this issue |
|
Just a note of encouragement: I miss this feature very much :-) |
|
Clarification @Kreyren : I am not a project member more than anyone else having contributed to the project (: From a quick look I can't find much ongoing or recent work? I have not tried this myself, but as of #10475, synapse should already be able to federate over tor by setting a SOCKS proxy for federation requests. For inbound federation, it would involved setting up a Hidden Service pointing to the federation port. This will only work with The missing piece here is would be verifying the onion certificates for federation. I guess this means that synapse can federate fine over tor today, but only if the homeserver disables tls verification for #1277 seems to be linking all relevant open issues. |
@Kreyren: I think I just did that here: #5152 (comment) @Legogris: Indeed, it works as you described, although lack of |
|
I really appreciate the work @Legogris and @ghost are doing but it seems like there is only effort for a TOR specific strategy utilizing SOCKS proxies. I think there are valid use cases to support other anonymization networks other than the onion router. From my limited research it sounds like I2P supports SOCKS to a limited degree but does not support out proxies (I2P equivalent of exit nodes). I'm not sure if that means that users relying on a homeserver behind I2P would result in only being able to communicate to other homeservers running behind I2P. Does anyone have any experience using I2P especially with SOCKS proxies? |
|
@Buttars: I2P is not made for clearnet access ingrained to the protocol like Tor. It's primarily designed for hidden services. It's intended as a segregated network. It does however provide an outproxy support where you can put I2P URL(s), but those really are just proxies to clearnet. Very few and volunteer run. I would absolutely not rely on them for core functionality. For such internal connections, SOCKS should work just fine. If you want "proper" integration with I2P, you're supposed to use the SAM interface. With SAM, your app can manage the creation and settings for tunnels. SOCKS should be fine for "connect to this .b32.i2p address" though. The user just has to make sure it has a tunnel with SOCKS running which is easy enough. Personally I (and I believe most I2P users) would be happy with a darknet only matrix server that does not connect to clearnet at all. On top of this, there could be servers that can connect to clearnet, Tor, and I2P at the same time. Those themselves wouldn't be anonymous of course but still allow for anonymous users, and act as bridges between networks. Let's say for example, Tor project might be interested to have a channel that can be accessed both from clearnet and Tor. (IDK if they do, just an example). Proxying to a clearnet server through Tor might be interesting, but I would not bother with this for I2P at all. Specific clearnet+I2P servers acting as bridges is enough. |
|
@den0621 I agree the I2P implementation would have to be anonymous network only or only a gateway from the client to the homeserver and clearnet after that. I've more clearly defined the different use cases and desired features in this comment on this other thread here. #5152 (comment) |
Intro
Several people in the Matrix community, including myself, would love to see anonymous homeservers. It didn't seem appropriate to use either of the other I2P or Tor threads, since both had some awesome points by awesome people (looking at you @richvdh @cyphar @vsatmydynipnet @Ekleog @ara4n). Big thanks to @ara4n for giving this a proofread before I posted!
Why this Tor/I2P thread
It seemed appropriate to start a new thread (and lock) for the following reasons and with the following hopes:
Since this is a large post on a new thread that discusses several steps that are dependent on the previous, for the sake of organization it will probably make sense to break this into smaller threads over time, rename threads, and/or move stuff to a wiki or something.
Tor or I2P?
Here is an excellent and pretty unbiased post comparing Tor and I2P from I2P’s website: https://geti2p.net/en/comparison/tor
(Summarized from above link):
Benefits of Tor over I2P
Written in C, while I2P is Java(EDIT: I found a C++ implementation of I2P (https://github.com/PurpleI2P/i2pd))Benefits of I2P over Tor
I am no expert in network protocols and I don't want to provide an ill-equip opinion, but it seems that Tor HSs would be easier to implement, while I2P HSs appear more 'proper'.
UX and Federation Behavior
I thought it would be useful to include expected behavior in this discussion. This and everything below this will be split into a separate thread with more details after decision on Tor or I2P.
UX (Client)
In a perfect world, I would think we would want the following behavior to apply (I will use terms 'Tor/I2P HSs' and 'DNS-addressed HSs' to describe homeservers that end in .onion/.i2p and in .com/etc for lack of better terminology):
Behind the scenes (Server)
@richvdh in #2111 recognized that for both types of HSs to federate to each other, it may be easiest to propose a change to the Matrix specification (specifically 'raising an MSC in the matrix-doc'). See post for context.
Depending on the expected future support of Synapse and with the building of Dendrite, would it make sense to skip building this for Synapse and just implement this for Dendrite?
Next steps
I hope this post finds the community well and brings some organization to the awesome discussions started around Tor/I2P homeservers. What should we start with? Tor or I2P?
The text was updated successfully, but these errors were encountered: