Hi,

Thanks Tim for filing this bug report. Two further considerations:

1. based on my understanding, iaproxy uses regular expressions to replace (preg_replace) the original domain (called $TargetDomain) to the onion address (called $RequestDomain), so I would say it shares some limitations of EOTK (e.g. if there is an address in a <nowiki> tag it should not be replaced).
2. as additional references for the handling of third-level subdomains of .onion address, I would point out these tweets by Alec Muffet (who worked for Facebook and set up an onion service there): « [...] Subdomains just "work" - the Tor daemon ignores them during resolution while the browser passes them along. Result is you host all the subdomains on a single onion address, but the browser is happy. Thus ".onion" can be like ".fr" or any TLD.» (source: 1, 2)

Thanks Tim, that's so constructive :)

Yes, subdomains work. There is even a special exception in the CAB Forum requirements about wildcard EV certificates specifically for .onion addresses (EV are required for .onion, and EV wildcards are otherwise forbidden).

Brute-forced domains have pros and cons. Unless we manage to find an otherwise readable domain (like Facebook's facebookcorewwwi), you run into the danger of people learning to read "wikipedia" and to ignore the second half of the domain, allowing someone to just generate an wikipediaYYYYYYY with scallion and attempt to impersonate us. (HTTPS with EV will help, though). Perhaps it'd be better to just generate domains with a "wiki" prefix, instead of the full Wikipedia one?

I ran scallion for a few days (intermittently) on my GTX 1050, to see what we get in terms of readable domains. I ran it with a lot of alternative prefixes, since that is efficient, just extra entries in a hashtable. I now have private keys for the following domain names:

See what you think. The wikimedia*.onion domains could be used with a two-level subdomain, e.g. en.wikipedia.wikimediafeeetr3.onion.

• wikipediabsorqnj.onion -- almost manages to spell "absorb"
• wikimediacyweboe.onion -- obviously a web server sponsored by Wikimedia Wales
• wikimediafeeetr3.onion -- feature misspelt with leet final letter

Hi! I'm Alec, I write EOTK. I've improved it a lot over the summer, culminating in a deployment at the New York Times: https://open.nytimes.com/https-open-nytimes-com-the-new-york-times-as-a-tor-onion-service-e0d0b67b7482

I've set up a read-only Onion site for Wikipedia & related properties, and have posted details of how to access it at the following Twitter thread: https://twitter.com/AlecMuffett/status/933735934272704512

Let me know what you think.

edit: have also annotated: https://meta.wikimedia.org/wiki/Grants_talk:IdeaLab/A_Tor_Onion_Service_for_Wikipedia#Demo_Onion_Site.2C_Temporarily_Available

edit2: I don't know whether it would be proper for me to edit: https://meta.wikimedia.org/wiki/Grants:IdeaLab/A_Tor_Onion_Service_for_Wikipedia

As discussed before, I think it is worth exploring whether we could add Orbot traffic channeling for our mobile apps. If performance is an issue, as an option (clearly marked during set up), and if possible - by default.

Facebook offers Orbot channeling, why shouldn't we?

In T168218#3784933, @Pundit wrote:

As discussed before, I think it is worth exploring whether we could add Orbot traffic channeling for our mobile apps. If performance is an issue, as an option (clearly marked during set up), and if possible - by default.

Facebook offers Orbot channeling, why shouldn't we?

That's T163747: Add support for Tor or other proxy support to the Wikipedia Android App.

How is this progressing? Meanwhile TOR moved to new and longer addresses and Riseup just uses the standard ones so I think we should follow their lead and do the same https://riseup.net/en/security/network-security/tor

Is anyone gonna write a grant application before the deadline in march on this?

Additional context on why do we need this.

In the last few days there have been reports that the Russian government is mandating all users to install a government-issued CA. This means that in principle they could impersonate any HTTPS website: Bugzilla Bug #1758773.

Some thoughts I've been brainstorming:

• For read traffic, onion service requests should go through Varnish/frontend caches to maximize caching/perf, as well as DoS prevention
• For write traffic, it should be blocked via TorBlock. So we probably need to set some custom header on the request to flag it as being over the onion service.
  • If someone has IPBE and is allowed to use Tor, then we still need some IP address to log for CheckUser. Maybe we can set some special reserved IP address, which flags CU to just show the IP as "Tor network". Would that be useful even for normal Tor users?
• This seems like something we should be able to deploy using k8s. It really just needs tor (via Debian package), the torrc config, and the private key for the hidden service (provisioned via private puppet)
• Before officially announcing, we should discuss with Tor Project folks if they'd support adding human readable "Onion Names" for us, so you could go to http://en.wikipedia.tor.onion and it sends you to the correct very long onion service domain. https://securedrop.org/news/introducing-onion-names-securedrop/ describes how it works for SecureDrop (currently the only thing using this).

Might be a good idea to do this in stages fwiw — read access first, see how that pans out, given that the primary use case for this is people reading Wikipedia? Plus read access seems Easy and Straightforward™ in comparison to the other bits

IMO it's important we continue to portray Wikipedia as a thing you can edit (despite all the hurdles for Tor users...), so if this is an official service I don't think we should skip editing support, even temporarily.

One other point I forgot to mention earlier, we'll need something to do rewriting of URLs. Originally I had the idea of creating a MediaWiki extension to do that, but now I think it might be simpler if we used something like eotk (https://github.com/alecmuffett/eotk).