Running IPFS under Tor

Now that current IPFS releases can use other nodes to proxy incoming requests and so being able to be inside NAT and firewalls, I wonder if there is a way to run an IPFS node under Tor.

Would “torify” be enough?

No it wouldn’t alone you also need to stop listening at all, disable things like autonat and ensure your dns resolver is CGO libc (if something is made with raw go (go talking directly to the kernel), torify can’t intercept it (torify only intercept call to libc)).
And even with that I can’t be totaly sure if you would be fine, maybe one transport (like quic) is not caught by torify. (the codebase is huge and you need to check that all network releated part will not accidently leak your ip), if you really want to do that you could build a custom ipfs with most of the network stripped away (evrythings that is not DHT and TCP transport) but even with that you will not be able to listen.

At berty we are working on a transport aiming to address all of this consideration : go-libp2p-tor-transport :slight_smile:

PS: Our transport is in beta and will not protect your ip (lacking the dns protection part).

no, something like Skywire or Nym have a tremendous advantage over Tor… The NSA does’t see everything in it

Links, @Jeff-Bouchard ? Google is not helpful…

I’m sorry, skycoin dot com/skywire/ Next-generation decentralized Mesh network *runs on low power.

and Nymtech dot net : a layer-1 network mixer, they claim to be NSA-resistant and given the team I believe them.
and the Coin I’m architecting with some of these and more
Best regards!

NSA doesn’t see anything in tor, first tor isn’t special, it uses wellknown crypto RSA 1024 (older and breakable in human times) but that only for the last version, newer onion3 uses Ed25519, that just classical crypto used evrywhere (if you have a modern enough browser and website you are very probably using Ed25519 right now to browse it).
Secondly the codebase is opensource and maintained by a lot of random people, not by NSA anymore.
The last thing is the directory, building a tunnel is not enough but you need people to find your tunnel.
So first you build a tunnel (3 peers hopping your trafic) then through this tunnel you will contact 6 servers hosted by torproject (so yes that centralised) and with your tor website’s key sign a message like this : hey if you want to contact me, my tunnel ends at : <insert here the list of relay where your tunnel end>.
And then when someone want to browse your site he will build a tunnel it self and through this tunnel ask to the directory servers: hey I'm searching for xxx and the directory servers will respond by something like : I know it, you can find it here : <the list of relay where the website tunnel end> and then the client will check if this message is signed (to proof that the directory server havn’t modified the message) and if it’s fine it will again through the relay dial the end point of the website and establish a connection using Ed25519 (so the relay can’t spoof the website).

I2P is a wide established tor alternative, it works the same but replace the directory by a DHT (a totaly decentralized directory). But it have some flaws, DHT can be spoofed (using Sybil Attack) so anyone can mute you.

Basicaly there is 2 protocol exploits with tor :

  • Directory can know when your website is online or not (wich anyone else can also do by just asking the directory servers, its just easier for them), and same problem on i2p.
  • Directory servers can be programed to forget some website (someone with access to them can remove listings) wich on i2p can be done by anyone (using sybil attacks).

Yes tor is more centralised but successfull sybil attacks has been logged on i2p, this is not the case for tor.

To conclude even if I like i2p more personaly, it is slow and have shown more succesfull attack than tor, even if it is fully distributed.

Hi sorry for the long delay, I think you’re absolutely correct on all counts except there’s now “Large network adversaries”; there’s a very good video here, I shared the relevant time.

it’s for the chief scientist at Nymtech, she rounds it up far better than I could ever hope. But at the end of the day to each his own.