Tor, Part 4: Varied and Sundry

In this last part of my series on Tor (earlier posts: Part 1, Part 2, and Part 3) I want to talk about SSL certificates for onion sites, onion hostname versions, and using Tor with Python.

SSL Certificates

For the regular web, ssl allows secure connections to websites, and, secondarily (especially in the age of Let's Encrypt), a third-party's verification of the identity of the web site's owners. For Tor hidden services, you don't need the secure connections that SSL provides to websites because of Tor's inherent security. So in most cases, Tor sites are delivered over http, and not https.

However, there are two situations in which one might want a certificate:

  • When you want to show the authenticated owner of the site
  • When you are running EOTK (or another proxy tool) which matches protocol of the origin site. (If you don't have an SSL certificate, any browsers will complain about the lack of a verified certificate, and users will have to click through the warnings to see the site.)

If you remember the days before Let's Encrypt, getting a certificate for a site wasn't a super-easy process, and you often had to pay a fair amount of money for it. Well, those days are still here for these certificates, and, there is only one vendor for them, Digicert. It's certainly good that there is a vendor that will do it, but since there is only one vendor, there's no price pressure (they are quite expensive - in the thousands of dollars). Further, they don't do it very often, so you'll need special support to get it done.

A few tips, if you're in the situation of needing this:

  • You'll need an Extended Validation license, likely multi-domain (especially if you are using EOTK, which will include onions for varied resources.)
  • Make sure you know all of the domains you'll need to include for the SAN (Subject Alternative Name) certificate
  • You'll absolutely need to tell the front-line support to escalate upwards (for instance, the first way they try to authenticate the owner of the domain is to send email to an onion domain.)

Onion Hostname Versions

You'll see onion urls that look like this: https://odyoxebmwfaaphqc.onion/ and ones that look like this: http://f6iu3ub5qst5x4usxoys6fwglm57n6tovacaqqhardpiwmgw5ijx7bqd.onion/. There are 2 current Tor versions out there, v2 and v3. V2 is still largely the default, and many utilities and libraries only support v2, and don't yet support v3. V3 has longer domain names, better cryptography, improved directory protocols meaning less information leakage, and other improvements. There is a vanity domain name generator for v3, called mkp224o. I haven't tried it yet, but glad it exists, as the other ones only support v2.

Tor and Python

There are several ways to use Tor and python. For one, you can use the Python requests library to request Tor addresses. It's fairly straightforward. Once you set up Tor on your development machine, install requests, and requests[socks]. Then, proxy through Tor like this:

session = requests.session()
session.proxies = {
    'http': 'socks5h://localhost:9050',
    'https': 'socks5h://localhost:9050'
r = session.get(url)

You might want to change the headers to disguise your user agent like:

headers = {}
headers['User-agent'] = Mozilla/4.01 [en] (Win95; I)
r = session.get(url, headers=headers)

(That'll confuse them!!)

There is also Stem, which is a python library which connects to Tor's control protocol. This means that if you are running a Tor relay, you can use this libary to get information about what's happening with that relay. I'm looking forward to diving into that one soon.

Things I want to explore more

I feel like I'm just scratching the surface. I want to set up a Tor crawler for myself at some point, I want to dive in deeper into relays, and just get more comfortable in the Tor network. It's exciting stuff!