🌐️ How and why sitectt on Tor?

In recent days I have settled the first matters regarding making the site available on the Tor network. There are those who will call me exaggerated for even having the thought of doing something like this, but there is little that can be done.
If nothing has gone wrong, the Onion service can still be reached at this address: onmfrk2acl4xdeawfjg3nfepq7gcufolctmhiwwxpcknazus5bxzxhqd.onion{: style=‘Color:#a060c0;’ } sitoctt2fxjvx3lc2iqqef2aeulflprjaasv2xl4zi7sxxbmvjy5b5yd.onion[^ New aesthetic domain].

The idea - apparently successful - was to use a free PaaS service, Replit, to do everything.
This way, I don’t further burden my improper server. For months now, precisely since the beginning of mid-February 2022, I have been using a Switch console as a server for too many things: in addition to the historic SpaccCraft server, I have my own Matrix instance, some Telegram bots which are perhaps the things that require the least resources, and software assorted minors. Yes, Nintendo Switch on which I started Ubuntu..
I won’t go into details, it’s better to do it in a separate article, but in short the reason is that SBCs like the Raspini, to date, due to current world events, have scary costs, and the Switch was the only low-cost computer consumption with enough RAM (4GB) that I already had at home. You have to adapt.

This here is also the very first post I write on the postocto blog, who knows how it goes and above all who knows when it will appear, because I should fix my static site generator for a moment to be able to manage pages like this which, instead of common pages, should be treated as subpages of the “Blog” page (autogenerated).

How?

Let’s go back to the discussion of the postoctt: with Replit, taking as a basis a Repl found around that demonstrated how to host another type of service on Tor, I built my Repl which: at each new start, downloads locally everything needed to compile and deploy my static site (from my Git repos), prepare everything, and start an HTTP server and the Tor daemon, which acts as a proxy by exposing the HTTP server to the outside via the Tor network. Then endlessly, all through Git, download any updates to any of the parts and, when necessary, regenerate the site.
I leave here the link to a GitLab snippet with my files, for anyone who wants to do the same service as me for their own website, perhaps built with my very low quality static site generator (at a code level, if it disgusted me on a conceptual or practical level I wouldn’t be developing it slowly yet): gitlab.com/-/snippets/2338457.

With free PaaS services like Replit, however, there’s a little problem: there are limits on software execution times. In the case of this platform, everything goes into suspension if the project’s web address does not receive pings for I didn’t quite understand how many minutes. If it receives any later, it wakes up after the time necessary to redo the startup operations.
It’s a shame however that, apart from the fact that it would mean making anyone who wants to visit my site wait at least 30 seconds for the first connection to be established, it is the HTTPS address on the Replit domain that must be contacted, for obvious reasons not the Tor address. And having people connect via the HTTPS address defeats the purpose of having a Tor site (which I’ll get to shortly, I swear).

The solution would be to use, on a computer that is always on at home, a script or a cronjob (rather, a systemd timer, given that it is precisely because of systemd that classic cronjobs today are broken and malfunctioning) to continuously ping the address of the my site on Replit. I could do it, but I would like to find a way confined to the same free PaaS services to solve the problem, as something like this would mean that even those who don’t have a server at home can do what I did.
Initially I tried with UptimeRobot, but it seems to be a problem, I set everything up in the evening, and the next morning my site was offline.
Searching around I then found several sites (called “pingers”) that invite you to enter the address of your Replit project to make it ping continuously so as to keep it active. I used like 3 at random, that I don’t even remember, and since then the sitectt doesn’t seem to turn off anymore.
Or, perhaps, the merit was that I created a second Replit project, which has the sole purpose of pinging my first one endlessly (while the main one always pings the second one). I don’t know, because the second one seems to always shut down, I don’t know if it’s because it doesn’t have any exposed HTTP server, I have to investigate..

Why?

Let’s immediately get the elephant out of the room (which is already small): the desire to set up a site that contains immoral material at serious levels (which I differentiate from illegal material per se), which if hosted on the traditional web would be very easy to tracing back to the owners with all the consequences of the case, is not the only sensible reason for wanting to use Tor (or any other network based on the same technical principles, but Tor is for better or for worse the most famous and used).
This site is also on the clear web without problems, that is, it has no problems being there.

Tor provides strong anonymity compared to the unfiltered Internet. The reason why it should be of interest to those who do not traffic in illicit content is quickly explained not with an answer, but with a question: do you happen to want to make known what you do (including visiting a particular website, like my blog) to multi-billion dollar corporations? that in return they will not give you anything, indeed they have no scruples about doing everything possible even to your detriment (tracking) to profit in one way or another?
How do you want your ISP to know about the particular Internet services you contact? Or have the person hosting those Internet services identify you (me and my ISP if it’s something hosted in my house, otherwise the particular provider for servers provided by companies, like Replit itself or GitLab.com where I host the site on the clear web ), if you won’t gain anything from it?
For many people, for some reason, this reasoning doesn’t add up, but few care and, although I don’t go to some extremes, I understand the points of view of the few people who want to maintain as much anonymity as possible even when they do moral and moral things. lawyers online. Accordingly, I agree with and encourage the use of Tor to access the services and content I provide.

I still don’t convince you? So listen to this. Tor allows, for example, journalists who live under total or partial censorship regimes to report the truth, whether directly or not. Or, it allows those living in these regimes to inform themselves freely and uninfluenced by government propaganda, and to communicate with other people in other parts of the world.
The real principle that it is easier to hide who you are and what you do on an individual level in the midst of a huge crowd, rather than when you are with a few other people, also applies to distributed networks: more people use them, even for simple web browsing, the safer individual users are. So, by using Tor to surf the web, even if you don’t care about anonymity, you will help those in need.
At least help the users who don’t do anything wrong: the criminals who sell drugs and weapons, or sell photos and videos depicting rape or torture, often go to their heads, and end up neglecting the opsec to such an extent that sooner or later they end (and I would say that I enjoy this) more than badly.

A doubt that may arise for non-super-experts, however, is why it is necessary to also provide the site as an Onion service, given that any content on the normal Internet is still accessible behind Tor, which in that case will work more like a traditional proxy . The problems here, however, are more subtle, and have to do with the nature of the classic Internet infrastructure.

I don’t think I need to explain the problems arising from passing data in unencrypted form via the Internet: information can not only be stolen (which for a public blog is not a big problem), but even modified and presented as if nothing had changed, with disarmingly easy, from any of the intermediate parts of the connection, for example the ISP of the client or the server.
HTTPS for websites solves this problem.. Bad. We don’t talk about it much, but the entire correct functioning of these protection systems depends on a complex global metaphysical infrastructure, which has more flaws than you might think.
Searching on Whoogle, I found this PDF, which more or less gives a quick look at the problems HTTPS suffers from: [Weakest_Link_in_the_Chain.pdf](https://www.accessnow.org/cms/assets/uploads/archive/docs /Weakest_Link_in_the_Chain.pdf).
What is essentially important to say is that the entire current system, based on CAs, consists of trust in an upstream authority. Without going into details, so I refer you to the PDF, the system is fragile and can be broken, resulting, in rare special cases, in the same problems as non-encrypted connections; indeed, perhaps even worse, because the presence of HTTPS can lead us to trust always and in any case: modern web browsers have conditioned us to ask questions only when we see the open padlock or a warning triangle, not when we see the closed shiny green padlock.

When you use Tor to connect to sites on Tor, the connection is not only routed between even more nodes on the network, but the data is encrypted with a public and private key system between the client and the Onion service server: the only the weak point in the chain is the server itself, which stores the private key, there are no other authorities to trust.
The system has problems, I will absolutely not deny it, starting from the fact that if the private key is stolen, thieves can impersonate the site and at that point the only thing to do for those who manage it is to change the key, thus also changing the domain, you cannot go to the CA to revoke the certificate. This is how a system based 100% on mathematics and 0% on trust works.
To tell the truth, I would therefore be making a mistake in using someone else’s machine to host the Tor… Greve site. Alright.

In conclusion

Tor is by no means perfect: it has various types of flaws, generally based on the deanonymisation of users because that is what 3-letter agencies are interested in, but let’s talk about it clearly: it is a step forward towards having more protection, and it is certainly a huge step forward towards data security, in a way that ensures that communication between client and server is only as secure as server and client, without worrying about the minutiae introduced by any third party.

The fact that Tor is financially supported at least in part by the US government however, without going into too much detail, perhaps carries some profound dangerous implications. This is why I want, more or less soon, to give a chance to services similar to Tor but different from it. Lokinet inspires me, to tell the truth, I think it will be the first alternative network I try.

🏷️ Notes and References