* on the Thu, Mar 06, 2014 at 02:02:50AM -0600, Cypher wrote: > I run the public XMPP server at chat.cpunk.us and I'd like to make the > service also available as a hidden service. I have a few questions: > > 1. Let's say my hidden service is xxxcf.onion. What would the users > final JID be? Would they still be user@xxxxxxxxxxxxx or would the > onion address come into play? Depends. When somebody adds "user@xxxxxxxxxxxxx" into their XMPP client it will do a DNS SRV lookup of "_xmpp-server._tcp.chat.cpunk.us" and currently will receive "chat.cpunk.us" as the response, and so connect to the host "chat.cpunk.us". I think a lot of clients fall back to connecting directly to the A/AAAA record if the SRV record lookup fails. So you *could* just add an additional higher priority SRV record to chat.cpunk.us containing your onion address. I assume in this situation most clients would try to connect to the .onion address, fail immediately because they're not using Tor, and then fall back to the 2nd SRV record "chat.cpunk.us" However, there are probably many badly written clients out there which will fail in lots of exotic ways. Allowing people to sign up with "user@xxxxxxxxxxxxx", would help the service work with clients that don't support SRV records. People using Tor wouldn't be able to do SRV lookups anyway as they're not supported by the Tor resolver. It would also prevent DNS spoofing. "user@xxxxxxxxxxxxx" should also help avoid various leaks that clients might have. > 2. Is it necessary to actually configure a hidden service at all? > Can't users just point their SOCKS proxy capable XMPP client to the > server or does going through an onion address provide something else > in this case that I'm not aware of? Hidden services offer several benefits. If you're not using a hidden service, your client could accidentally connect to the server outside of Tor. The client might do something "helpful" like fall back to making a direct connection when it can't connect to the configured socks proxy. It prevents DNS spoofing. It prevents malicious exit nodes attempting to discover information about the traffic they're exiting, attempting to perform SSL stripping attacks etc. > 3. even though we run a Jingle node and act as a media relay, I assume > users still will not be able to do voice and video while connected to > our server over Tor. If any of this relies on UDP, then no. Even if it's entirely TCP, the latency added by onion routing will probably be too much in most cases. Test it. > Is that correct? Is there any way to safely offer voice and video to > Tor connected users? I don't know. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk